Kwanaki kadan da suka gabata labari ya bayyana hakan Ƙungiyar bincike ta Qualys ta gano raunin ƙwaƙwalwar ajiya a cikin polkit pkexec, tushen SUID shirin da aka sanya ta tsohuwa akan duk manyan rarrabawar Linux.
Wannan yanayin rauni mai sauƙin amfani an ƙyale duk wani mai amfani da ba shi da gata don samun cikakken tushen gata a kan majiɓinci mai rauni ta hanyar yin amfani da wannan raunin a cikin tsarin sa na asali.
polkit (wanda aka fi sani da PolicyKit) wani bangare ne don sarrafa gata mai fa'ida akan tsarin aiki kamar Unix. Yana ba da tsari mai tsari don hanyoyin da ba su da gata don sadarwa tare da matakai masu gata, da kuma yana yiwuwa a yi amfani da polkit don gudanar da umarni tare da manyan gata ta amfani da umarnin pkexec wanda ke biye da umarnin da aka yi niyyar gudanarwa (tare da izinin tushen).
Game da rauni
Ularfafawa yana cikin pkexec, don haka lambar ku ta ƙunshi kuskuren sarrafa mai nuni, wasu daga cikinsu kawo karshen nunin wuraren ƙwaƙwalwar ajiya waɗanda bai kamata ba. Ta hanyar yin amfani da wannan aibi, yana yiwuwa a sami gata mai gudanarwa kusan nan take.
An ƙirƙira shi azaman CVE-2021-4034, raunin ya sami ƙimar CVSS na 7,8 kuma wanda ƙungiyar Qualys ta bayyana a cikin wani gidan yanar gizo cewa:
Laifin pkexec yana buɗe ƙofar ga tushen gata ga maharin. Masu binciken Qualys, in ji shi, sun nuna cin gajiyar abubuwan da aka saba amfani da su na Ubuntu, Debian, Fedora da CentOS, da sauran rarrabawar Linux suna da rauni.
"Nasarar cin nasara na wannan raunin yana ba duk wani mai amfani da ba shi da gata damar samun tushen gata a kan mai rauni mai masaukin baki. Masu binciken tsaro na Qualys sun sami damar tabbatar da rashin lafiyar da kansu, haɓaka cin zarafi, da samun cikakkiyar gata akan tsoffin shigarwar Ubuntu, Debian, Fedora, da CentOS. Sauran rabe-raben Linux tabbas suna da rauni kuma masu amfani. An ɓoye wannan raunin fiye da shekaru 12 kuma yana shafar duk nau'ikan pkexec tun farkon fitowar sa a cikin Mayu 2009 (tabbatar c8c3d83, "Ƙara umarnin pkexec(1)").
"Da zaran ƙungiyar binciken mu ta tabbatar da raunin, Qualys ya himmatu wajen bayyana rashin lafiyar da ke da alhakin tare da daidaitawa tare da dillalai da kuma rarraba tushen buɗe ido don sanar da raunin."
Matsalar tana faruwa lokacin da babban () aiki da pkex aiwatar da muhawarar layin umarni da kuma wancan argc zero. Har yanzu aikin yana ƙoƙarin samun dama ga jerin gardama kuma ya ƙare ƙoƙarin yin amfani da rgvvoid (ARGument Vector na igiyoyin gardamar layin umarni). Sakamakon haka, ƙwaƙwalwar ajiya ana karantawa kuma ana rubutawa ba tare da iyaka ba, wanda maharin zai iya amfani da shi don allurar canjin yanayi wanda zai iya sa a loda lambar sabani.
Kasancewar ana iya sake dawo da waɗannan masu canji yana sa lambar ta kasance mai rauni. Aƙalla dabarar cin gajiyar da Qualys ke bayarwa ( allurar da GCONV_PATH mai canzawa a cikin mahallin pkexec don gudanar da ɗakin karatu da aka raba azaman tushen) yana barin burbushi a cikin fayilolin log.
A cikin shawarwarin tsaro, Red Hat ta fitar da sanarwa mai zuwa:
"Red Hat yana sane da raunin da aka samu a cikin pkexec wanda ke ba da ingantacciyar mai amfani damar aiwatar da girman gata."
"Haɗarin farko ga abokan ciniki shine yuwuwar mai amfani mara amfani don samun gata na gudanarwa akan tsarin da abin ya shafa. Dole ne maharin ya sami hanyar shiga tsarin da aka yi niyya don kai harin."
Yana da kyau a faɗi hakan An riga an gano raunin a cikin 2013 kuma an bayyana shi dalla-dalla a cikin gidan yanar gizo, koda kuwa ba a samar da PoC ba:
"Lol, na rubuta game da wannan rashin lafiyar polkit a cikin 2013. Ba zan iya samun ainihin hanyar cin nasara ba, amma na gano tushen dalilin."
A ƙarshe idan kuna sha'awar samun damar sanin hakan game da shi, kuna iya tuntuɓar cikakkun bayanai a cikin bin hanyar haɗi.