https://www.theregister.com/2022/01/26/pwnkit_vulnerability_linuix/
"Linux vendors on Tuesday issued patches for a memory corruption
vulnerability in a component called polkit that allows an unprivileged logged-in user to gain full root access on a system in its default configuration."
A coding error that allows 'argc == 0' to create a vulnerability in
pkexec has very very very recently been patched in FreeBSD and several
Linux distros (more to come, no doubt).
In case anyone has any question, you can make this happen with the
following code:
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <errno.h>
extern char **environ;
int main(int argc, char *argv[])
{
char *arg[2]={NULL,NULL};
int i1;
i1 = execve("/path/to/the/application", arg, environ);
// in case it fails
printf("i1 is %d, errno is %d\n", i1, errno);
return 0;
}
I used this to test it and it ran with argc == 0
#include <stdio.h>
int main(int argc, char *argv[])
{
printf("argc = %d\n", argc);
return 0;
}
The point of showing this is not to allow some cracker to exploit with
it (you would need shell access and compiler capability to use it
anyway). The point is to GET PEOPLE TO PATCH any system that might be affected. And, it's worth pointing out the bug as something to NEVER
assume, that argc is always >=1
The bug is in pkexec.c where a loop looks for arguments, and then code
is executed where 'n == 1' - and it is supposed to be the next argument
after the switches, sorta like getopt might do. Except for some reason
it is NOT using getopt.
Instead, in the next section something accesses argv[n] where n is 1,
argc is zero. Oops. It most likely points to the environment, where a carefully crafted environment block could easily make it do bad things.
Or, it might end up in buffer overrun territory. Both are bad.
FreeBSD patched it (sysutils/polkit) a few hours before I read the
article. Also bing discussed, a kernel patch to DISALLOW argc==0 which
nobody is supposed to EVAR be doing anyway. OpenBSD apparently already
does this.
pretty much all Linux installations with a GUI or systemd will have
polkit, as does FreeBSD with a GUI.
As some have pointed out, might be time to do a code review on OLD code,
too... at least for basic programming SNAFUs like THIS one.
--
(aka 'Bombastic Bob' in case you wondered)
'Feeling with my fingers, and thinking with my brain' - me
'your story is so touching, but it sounds just like a lie'
"Straighten up and fly right"
--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)