polkit -- local privilege escalation using polkit_system_bus_name_get_creds_sync

Cedric Buissart reports:

The function polkit_system_bus_name_get_creds_sync is used to get the
uid and pid of the process requesting the action. It does this by
sending the unique bus name of the requesting process, which is
typically something like “:1.96”, to dbus-daemon. These unique names
are assigned and managed by dbus-daemon and cannot be forged, so this
is a good way to check the privileges of the requesting process.
The vulnerability happens when the requesting process disconnects from
dbus-daemon just before the call to
polkit_system_bus_name_get_creds_sync starts. In this scenario, the
unique bus name is no longer valid, so dbus-daemon sends back an error
reply. This error case is handled in
polkit_system_bus_name_get_creds_sync by setting the value of the
error parameter, but it still returns TRUE, rather than FALSE.
This behavior means that all callers of
polkit_system_bus_name_get_creds_sync need to carefully check whether
an error was set. If the calling function forgets to check for errors
then it will think that the uid of the requesting process is 0 (because
the AsyncGetBusNameCredsData struct is zero initialized). In other
words, it will think that the action was requested by a root process,
and will therefore allow it.