An undetected bug from 7 years ago allows privilege escalation with polkit

Kevin Backhouse (a security researcher) shared a few days ago on the GitHub blog the note that had encountered an error in the polkit service associated with systemd (a common Linux system and service manager component), with which the seven-year-old vulnerability that allowed to escalate privileges which has been lurking in various Linux distributions and which was patched last week in a coordinated release.

Polkit is an application-level toolkit for defining and managing policy that allows the unprivileged processes Talk to the privileged processes, it installs by default on various Linux distributions. The vulnerability was introduced in version 0.113 seven years ago (commit bfa5036) and was fixed on June 3 after its recent disclosure by security researcher Kevin Backhouse.

As a member of the GitHub Security Lab, my job is to help improve the security of open source software by finding and reporting vulnerabilities. A few weeks ago, I found a privilege escalation vulnerability in polkit. Coordinated vulnerability disclosure with polkit maintainers and Red Hat's security team. It was made publicly known, the fix was released on June 3, 2021 and assigned CVE-2021-3560

"Every Linux system that uses a vulnerable version of polkit is potentially exposed to attacks that exploit the CVE-2021-3560 flaw," says Backhouse. says the flaw is surprisingly easy to exploit, as it only requires a few commands using standard terminal tools such as bash, kill, and dbus-send.

"The vulnerability is triggered by starting a dbus-send command, but killing it while polkit is still processing the request," Backhouse explained.

Backhouse posted a video PoC of an attack that exploits this vulnerability showing that it is easy to activate.

“The vulnerability allows an unprivileged local user to obtain a root shell on the system. It's easy to exploit with some standard command-line tools, as you can see in this short video, 'wrote the expert in a blog post.

When killing dbus-send (a communication command between processes), in the middle of an authentication request causes an error Which comes from polkit requesting the UID of a connection that no longer exists (because the connection was dropped).

"In fact, polkit mishandles the error in a particularly unfortunate way: instead of rejecting the request, it treats it as if it came from a process with UID 0," Backhouse explains. "In other words, you immediately authorize the request because you think the request comes from a root process."

This doesn't happen all the time, because polkit's UID query to dbus-daemon occurs multiple times on different code paths. Usually those code paths handle the error correctly, Backhouse said, but a code path is vulnerable, and if the disconnect occurs when that code path is active, then elevation of privilege occurs. It's all a matter of time, which varies in unpredictable ways because multiple processes are involved.

In addition, the researcher published the following table which contains the list of currently vulnerable distributions:

DISTRIBUTION VULNERABLE?
RHEL7 No
RHEL8 yes
Fedora 20 (or earlier) No
Fedora 21 (or later) yes
Debian 10 ("buster") No
debian testing yes
Ubuntu 18.04 No
Ubuntu 20.04 yes

Linux distributions that have polkit version 0.113 or later installed, such as Debian (unstable branch), RHEL 8, Fedora 21 and above, and Ubuntu 20.04, are affected.

The intermittent nature of the bug, Backhouse speculates, is the reason it went undetected for seven years.

"CVE-2021-3560 allows an unprivileged local attacker to gain root privileges," Backhouse said. "It is very simple and quick to exploit, so it is important that you update your Linux installations as soon as possible."

Finally If you are interested in knowing more about it, you can check the details In the following link.


Be the first to comment

Leave a Comment

Your email address will not be published. Required fields are marked with *

*

*

  1. Responsible for the data: AB Internet Networks 2008 SL
  2. Purpose of the data: Control SPAM, comment management.
  3. Legitimation: Your consent
  4. Communication of the data: The data will not be communicated to third parties except by legal obligation.
  5. Data storage: Database hosted by Occentus Networks (EU)
  6. Rights: At any time you can limit, recover and delete your information.