[HN Gopher] Pwnkit: Local Privilege Escalation in polkit's pkexe...
___________________________________________________________________
Pwnkit: Local Privilege Escalation in polkit's pkexec
(CVE-2021-4034)
Author : todsacerdoti
Score : 83 points
Date : 2022-01-25 20:05 UTC (2 hours ago)
(HTM) web link (seclists.org)
(TXT) w3m dump (seclists.org)
| jiripospisil wrote:
| https://gitlab.freedesktop.org/polkit/polkit/-/commit/a2bf5c...
| southerntofu wrote:
| I'm not good enough to guess the exploit, but the fix is simple
| enough that i consider that a nice find!
| [deleted]
| tedunangst wrote:
| For people who don't like seclists formatting.
|
| https://marc.info/?l=oss-security&m=164313339424946&w=2
| hsbauauvhabzb wrote:
| I don't mind seclists format, but the black text overflows onto
| a dark blue background on my iPhone 13 making it unusable.
| Thanks.
| jwilk wrote:
| For people who don't like MARC formatting either:
|
| https://www.openwall.com/lists/oss-security/2022/01/25/11
|
| https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt
| Klasiaster wrote:
| I wonder why it even is a setuid binary since there already is a
| privileged service it interacts with (through DBus). I think we
| should replace all setuid binaries with a scheme of having a
| privileged service that acts on the requests of unprivileged
| processes. With Unix Domain Sockets and SO_PEERCRED the
| unprivileged process user can be identified (but less info is
| available than with a setuid binary). This could even work with
| sudo but the difference is that the privileged service would not
| spawn a child service but rather hand out the stdin/err/out FDs
| to the unprivileged process, again this works with Unix Domain
| Sockets.
| tptacek wrote:
| What a glorious little bug. They're trying to scan arguments, and
| have a loop that starts with (effectively) argv[1]. But if argv
| is NULL, the loop terminates immediately --- with the maximum
| argument still set to 1, an out-of-bounds dereference to argv[1]
| that ends up pointing into the environment. Just beautiful.
| [deleted]
| kator wrote:
| > pkexec is installed by default on all major Linux distributions
| (we exploited Ubuntu, Debian, Fedora, CentOS, and other
| distributions are probably also exploitable);
|
| I don't find it on any of the servers I manage, it appears to be
| installed with graphical desktop only?
| tomputer wrote:
| Can confirm. I just checked Debian 7/8/9/10/11 servers and none
| has pkexec (or policykit-1) installed.
| throwaway984393 wrote:
| Policykit's sole purpose is to provide an abstraction to let
| modern X server applications press a suspend or power off
| button. It's the same kind of garbage as DBus. The modern Linux
| desktop is absurd.
| ismaildonmez wrote:
| Confidently incorrect.
| foxfluff wrote:
| Why does pipewire depend on it? Otherwise I'd just remove it
| right now.
| throwaway984393 wrote:
| Sigh... Because systemd, dbus, polkit, pulseaudio, rtkit,
| etc are invasive weeds. Apps now depend on them exclusively
| so often that you have to provide some shim to replace
| their ABI if you don't want to use those components. I
| can't remember the specifics but pipewire probably only
| casually references it as part of a compatibility layer. In
| Alpine I'm pretty sure you can run pipewire without polkit
| but I'd have to check.
| jcelerier wrote:
| I'd guess it's because pipewire needs to access real-time
| capabilities of the kernel to enable low-latency audio, and
| those are only accessible as root sadly AFAIK (thus polkit,
| because pipewire does not run as root so there has to be
| _something_ to grant the capacity to pw)
| mhitza wrote:
| A bunch of things on a modern desktop linux system depend
| on it. Disregard what the user you replied to said, as
| polkit is a system to delegate elevated permission grants
| from GUI applications.
|
| A GUI sudo if you will, with XML and javascript code for
| its configuration files.
|
| I'm not near my computer, but I would guess pipewire (as it
| usually runs within the users session) might rely on it to
| access the sound hardware without needing to run as root.
| But just guessing.
| foxfluff wrote:
| The only things on my system that depend on it are
| pipewire and xorg-x11-drv-intel (which I don't need). It
| doesn't sound like you should need a GUI sudo with XML
| and Javascript for audio..
| 0xbadcafebee wrote:
| It does appear to exist solely to let users use their own
| local hardware (because a user being a part of group
| 'audio' wasn't a thing before?)
|
| https://wiki.debian.org/PolicyKit
| PolicyKit is an application-level toolkit for defining
| and handling the policy that allows unprivileged
| processes to speak to privileged processes, in order to
| grant some user the right to perform some tasks in some
| situations. It is sometimes referred to as "the
| sudo of systemd". Sample uses:
| Let the user Hibernate and shutdown the computer.
| Let the user manage (Wireless) connections. Let
| the user mount/eject a removable media (CD/DVD, USB
| keys...) Let the user access devices, like audio,
| scanner, etc.
|
| And, wow, they really actually did use XML as their
| configuration: <match
| action="org.freedesktop.hal.storage.mount-fixed">
| <match user="davidz"> <return result="yes"/>
| </match> <match user="freddy">
| <return result="no"/> </match> </match>
| skeptical1 wrote:
| Yes, this is exactly why I don't run any of this crap on my
| distro. No dbus, no polkit, no systemd, nothing. Computer
| security is already enough of a nightmare without all this
| crap added on and linked in to everything.
| blibble wrote:
| seems libvirt-daemon pulls it in too
| staticassertion wrote:
| POC (tweet + direct link)
|
| https://twitter.com/bl4sty/status/1486092552755466242
|
| https://haxx.in/files/blasty-vs-pkexec.c
| aftbit wrote:
| I get: [~] compile helper.. [~] maybe
| get shell now? The value for environment variable
| XAUTHORITY contains suscipious content This
| incident has been reported.
|
| And no root shell
| shaded-enmity wrote:
| I haven't touched this in a long time, but isn't the attack
| vector essentially the same as in Vortex lvl 4?
| https://overthewire.org/wargames/vortex/vortex4.html
| getcrunk wrote:
| this sounds like a bug class some type of source code scanner
| should be able to pick up?
| ape4 wrote:
| Wow, it seems like there should be some iron clad / redundant
| argument parsing in sudo-like programs
___________________________________________________________________
(page generated 2022-01-25 23:00 UTC)