[HN Gopher] Pwnkit: Local Privilege Escalation in polkit's pkexe... ___________________________________________________________________ Pwnkit: Local Privilege Escalation in polkit's pkexec (CVE-2021-4034) Author : todsacerdoti Score : 83 points Date : 2022-01-25 20:05 UTC (2 hours ago) (HTM) web link (seclists.org) (TXT) w3m dump (seclists.org) | jiripospisil wrote: | https://gitlab.freedesktop.org/polkit/polkit/-/commit/a2bf5c... | southerntofu wrote: | I'm not good enough to guess the exploit, but the fix is simple | enough that i consider that a nice find! | [deleted] | tedunangst wrote: | For people who don't like seclists formatting. | | https://marc.info/?l=oss-security&m=164313339424946&w=2 | hsbauauvhabzb wrote: | I don't mind seclists format, but the black text overflows onto | a dark blue background on my iPhone 13 making it unusable. | Thanks. | jwilk wrote: | For people who don't like MARC formatting either: | | https://www.openwall.com/lists/oss-security/2022/01/25/11 | | https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt | Klasiaster wrote: | I wonder why it even is a setuid binary since there already is a | privileged service it interacts with (through DBus). I think we | should replace all setuid binaries with a scheme of having a | privileged service that acts on the requests of unprivileged | processes. With Unix Domain Sockets and SO_PEERCRED the | unprivileged process user can be identified (but less info is | available than with a setuid binary). This could even work with | sudo but the difference is that the privileged service would not | spawn a child service but rather hand out the stdin/err/out FDs | to the unprivileged process, again this works with Unix Domain | Sockets. | tptacek wrote: | What a glorious little bug. They're trying to scan arguments, and | have a loop that starts with (effectively) argv[1]. But if argv | is NULL, the loop terminates immediately --- with the maximum | argument still set to 1, an out-of-bounds dereference to argv[1] | that ends up pointing into the environment. Just beautiful. | [deleted] | kator wrote: | > pkexec is installed by default on all major Linux distributions | (we exploited Ubuntu, Debian, Fedora, CentOS, and other | distributions are probably also exploitable); | | I don't find it on any of the servers I manage, it appears to be | installed with graphical desktop only? | tomputer wrote: | Can confirm. I just checked Debian 7/8/9/10/11 servers and none | has pkexec (or policykit-1) installed. | throwaway984393 wrote: | Policykit's sole purpose is to provide an abstraction to let | modern X server applications press a suspend or power off | button. It's the same kind of garbage as DBus. The modern Linux | desktop is absurd. | ismaildonmez wrote: | Confidently incorrect. | foxfluff wrote: | Why does pipewire depend on it? Otherwise I'd just remove it | right now. | throwaway984393 wrote: | Sigh... Because systemd, dbus, polkit, pulseaudio, rtkit, | etc are invasive weeds. Apps now depend on them exclusively | so often that you have to provide some shim to replace | their ABI if you don't want to use those components. I | can't remember the specifics but pipewire probably only | casually references it as part of a compatibility layer. In | Alpine I'm pretty sure you can run pipewire without polkit | but I'd have to check. | jcelerier wrote: | I'd guess it's because pipewire needs to access real-time | capabilities of the kernel to enable low-latency audio, and | those are only accessible as root sadly AFAIK (thus polkit, | because pipewire does not run as root so there has to be | _something_ to grant the capacity to pw) | mhitza wrote: | A bunch of things on a modern desktop linux system depend | on it. Disregard what the user you replied to said, as | polkit is a system to delegate elevated permission grants | from GUI applications. | | A GUI sudo if you will, with XML and javascript code for | its configuration files. | | I'm not near my computer, but I would guess pipewire (as it | usually runs within the users session) might rely on it to | access the sound hardware without needing to run as root. | But just guessing. | foxfluff wrote: | The only things on my system that depend on it are | pipewire and xorg-x11-drv-intel (which I don't need). It | doesn't sound like you should need a GUI sudo with XML | and Javascript for audio.. | 0xbadcafebee wrote: | It does appear to exist solely to let users use their own | local hardware (because a user being a part of group | 'audio' wasn't a thing before?) | | https://wiki.debian.org/PolicyKit | PolicyKit is an application-level toolkit for defining | and handling the policy that allows unprivileged | processes to speak to privileged processes, in order to | grant some user the right to perform some tasks in some | situations. It is sometimes referred to as "the | sudo of systemd". Sample uses: | Let the user Hibernate and shutdown the computer. | Let the user manage (Wireless) connections. Let | the user mount/eject a removable media (CD/DVD, USB | keys...) Let the user access devices, like audio, | scanner, etc. | | And, wow, they really actually did use XML as their | configuration: <match | action="org.freedesktop.hal.storage.mount-fixed"> | <match user="davidz"> <return result="yes"/> | </match> <match user="freddy"> | <return result="no"/> </match> </match> | skeptical1 wrote: | Yes, this is exactly why I don't run any of this crap on my | distro. No dbus, no polkit, no systemd, nothing. Computer | security is already enough of a nightmare without all this | crap added on and linked in to everything. | blibble wrote: | seems libvirt-daemon pulls it in too | staticassertion wrote: | POC (tweet + direct link) | | https://twitter.com/bl4sty/status/1486092552755466242 | | https://haxx.in/files/blasty-vs-pkexec.c | aftbit wrote: | I get: [~] compile helper.. [~] maybe | get shell now? The value for environment variable | XAUTHORITY contains suscipious content This | incident has been reported. | | And no root shell | shaded-enmity wrote: | I haven't touched this in a long time, but isn't the attack | vector essentially the same as in Vortex lvl 4? | https://overthewire.org/wargames/vortex/vortex4.html | getcrunk wrote: | this sounds like a bug class some type of source code scanner | should be able to pick up? | ape4 wrote: | Wow, it seems like there should be some iron clad / redundant | argument parsing in sudo-like programs ___________________________________________________________________ (page generated 2022-01-25 23:00 UTC)