In a blog post on Thursday, GitHub security researcher Kevin Backhouse recounted how he found the bug (CVE-2021-3560) in a service called
polkit associated with systemd, a common Linux system and service
Introduced in commit bfa5036 seven years ago and initially shipped in
polkit version 0.113, the bug traveled different paths in different
Linux distributions. For example, it missed Debian 10 but it made it to
the unstable version of Debian, upon which other distros like Ubuntu are
Formerly known as PolicyKit, polkit is a service that evaluates whether specific Linux activities require higher privileges than those currently available. It comes into play if, for example, you try to create a new
This "feature" should be DISABLED anyway. Windows UAC is NOT good for
Linux. We already have 'sudo' and it can be SENSIBLY configured.
Backhouse says the flaw is surprisingly easy to exploit, requiring only
a few commands using standard terminal tools like bash, kill, and dbus-send.
"The vulnerability is triggered by starting a dbus-send command but
killing it while polkit is still in the middle of processing the
request," explained Backhouse.
Killing dbus-send – an interprocess communication command – in the midst
of an authentication request causes an error that arises from polkit
asking for the UID of a connection that no longer exists (because the connection was killed).
"In fact, polkit mishandles the error in a particularly unfortunate way:
rather than rejecting the request, it treats the request as though it
came from a process with UID 0," explains Backhouse. "In other words, it immediately authorizes the request because it thinks the request has
come from a root process."
and then executes it as ROOT and does what the attacker wants.
(FUCKING SYSTEMD AND THE SHIT THAT GOES WITH IT)
(Yeah I use Devuan)
(aka 'Bombastic Bob' in case you wondered)
'Feeling with my fingers, and thinking with my brain' - me
'your story is so touching, but it sounds just like a lie'
"Straighten up and fly right"