1. Forum
  2. Usenet
  3. ALT.HACKER

  • polkit vulnerability - pkexec

    From Big Bad Bombastic Bob@21:1/5 to All on Wed Jan 26 17:00:08 2022
    https://www.theregister.com/2022/01/26/pwnkit_vulnerability_linuix/

    "Linux vendors on Tuesday issued patches for a memory corruption
    vulnerability in a component called polkit that allows an unprivileged logged-in user to gain full root access on a system in its default configuration."

    A coding error that allows 'argc == 0' to create a vulnerability in
    pkexec has very very very recently been patched in FreeBSD and several
    Linux distros (more to come, no doubt).

    In case anyone has any question, you can make this happen with the
    following code:

    #include <stdio.h>
    #include <stdlib.h>
    #include <unistd.h>
    #include <errno.h>


    extern char **environ;

    int main(int argc, char *argv[])
    {
    char *arg[2]={NULL,NULL};
    int i1;

    i1 = execve("/path/to/the/application", arg, environ);

    // in case it fails
    printf("i1 is %d, errno is %d\n", i1, errno);

    return 0;
    }


    I used this to test it and it ran with argc == 0

    #include <stdio.h>

    int main(int argc, char *argv[])
    {
    printf("argc = %d\n", argc);
    return 0;
    }


    The point of showing this is not to allow some cracker to exploit with
    it (you would need shell access and compiler capability to use it
    anyway). The point is to GET PEOPLE TO PATCH any system that might be affected. And, it's worth pointing out the bug as something to NEVER
    assume, that argc is always >=1


    The bug is in pkexec.c where a loop looks for arguments, and then code
    is executed where 'n == 1' - and it is supposed to be the next argument
    after the switches, sorta like getopt might do. Except for some reason
    it is NOT using getopt.

    Instead, in the next section something accesses argv[n] where n is 1,
    argc is zero. Oops. It most likely points to the environment, where a carefully crafted environment block could easily make it do bad things.

    Or, it might end up in buffer overrun territory. Both are bad.

    FreeBSD patched it (sysutils/polkit) a few hours before I read the
    article. Also bing discussed, a kernel patch to DISALLOW argc==0 which
    nobody is supposed to EVAR be doing anyway. OpenBSD apparently already
    does this.

    pretty much all Linux installations with a GUI or systemd will have
    polkit, as does FreeBSD with a GUI.



    As some have pointed out, might be time to do a code review on OLD code,
    too... at least for basic programming SNAFUs like THIS one.


    --
    (aka 'Bombastic Bob' in case you wondered)

    'Feeling with my fingers, and thinking with my brain' - me

    'your story is so touching, but it sounds just like a lie'
    "Straighten up and fly right"

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)