1. Forum
  2. Usenet
  3. ALT.HACKER

  • systemd strikes again - polkit bug = security crater

    From Big Bad Bob@21:1/5 to All on Fri Jun 11 12:13:11 2021
    https://www.theregister.com/2021/06/11/linux_polkit_package_patched/

    <quote>
    In a blog post on Thursday, GitHub security researcher Kevin Backhouse recounted how he found the bug (CVE-2021-3560) in a service called
    polkit associated with systemd, a common Linux system and service
    manager component.

    Introduced in commit bfa5036 seven years ago and initially shipped in
    polkit version 0.113, the bug traveled different paths in different
    Linux distributions. For example, it missed Debian 10 but it made it to
    the unstable version of Debian, upon which other distros like Ubuntu are
    based.

    Formerly known as PolicyKit, polkit is a service that evaluates whether specific Linux activities require higher privileges than those currently available. It comes into play if, for example, you try to create a new
    user account.
    </quote>

    This "feature" should be DISABLED anyway. Windows UAC is NOT good for
    Linux. We already have 'sudo' and it can be SENSIBLY configured.

    <quote>
    Backhouse says the flaw is surprisingly easy to exploit, requiring only
    a few commands using standard terminal tools like bash, kill, and dbus-send.

    "The vulnerability is triggered by starting a dbus-send command but
    killing it while polkit is still in the middle of processing the
    request," explained Backhouse.

    Killing dbus-send – an interprocess communication command – in the midst
    of an authentication request causes an error that arises from polkit
    asking for the UID of a connection that no longer exists (because the connection was killed).

    "In fact, polkit mishandles the error in a particularly unfortunate way:
    rather than rejecting the request, it treats the request as though it
    came from a process with UID 0," explains Backhouse. "In other words, it immediately authorizes the request because it thinks the request has
    come from a root process."
    </quote>

    and then executes it as ROOT and does what the attacker wants.

    (FUCKING SYSTEMD AND THE SHIT THAT GOES WITH IT)

    (Yeah I use Devuan)


    --
    (aka 'Bombastic Bob' in case you wondered)

    'Feeling with my fingers, and thinking with my brain' - me

    'your story is so touching, but it sounds just like a lie'
    "Straighten up and fly right"

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)