Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Security Linux

Major Linux PolicyKit Security Vulnerability Uncovered: Pwnkit (zdnet.com) 179

An anonymous reader quotes a report from ZDNet: [S]ecurity company Qualys has uncovered a truly dangerous memory corruption vulnerability in polkit's pkexec, CVE-2021-4034. Polkit, formerly known as PolicyKit, is a systemd SUID-root program. It's installed by default in every major Linux distribution. This vulnerability is easy to exploit. And, with it, any ordinary user can gain full root privileges on a vulnerable computer by exploiting this vulnerability in its default configuration. As Qualsys wrote in its brief description of the problem: "This vulnerability is an attacker's dream come true." Why is it so bad? Let us count the ways:

- Pkexec is installed by default on all major Linux distributions.
- Qualsys has exploited Ubuntu, Debian, Fedora, and CentOS in their tests, and they're sure other distributions are also exploitable.
- Pkexec has been vulnerable since its creation in May 2009 (commit c8c3d83, "Add a pkexec(1) command").
- An unprivileged local user can exploit this vulnerability to get full root privileges.
- Although this vulnerability is technically a memory corruption, it is exploitable instantly and reliably in an architecture-independent way.
- And, last but not least, it's exploitable even if the polkit daemon itself is not running.

Red Hat rates the PwnKit as having a Common Vulnerability Scoring System (CVSS) score of 7.8. This is high. [...] This vulnerability, which has been hiding in plain sight for 12+ years, is a problem with how pkexec reads environmental variables. The short version, according to Qualsys, is: "If our PATH is "PATH=name=.", and if the directory "name=." exists and contains an executable file named "value", then a pointer to the string "name=./value" is written out-of-bounds to envp[0]." While Qualsys won't be releasing a demonstration exploit, the company is sure it won't take long for exploits to be available. Frankly, it's not that hard to create a PwnKit attack.
It's recommended that you obtain and apply a patch ASAP to protect yourself from this vulnerability.

"If no patches are available for your operating system, you can remove the SUID-bit from pkexec as a temporary mitigation," adds ZDNet. "For example, this root-powered shell command will stop attacks: # chmod 0755 /usr/bin/pkexec."
This discussion has been archived. No new comments can be posted.

Major Linux PolicyKit Security Vulnerability Uncovered: Pwnkit

Comments Filter:
  • by Burdell ( 228580 ) on Tuesday January 25, 2022 @10:38PM (#62208043)

    Polkit, formerly known as PolicyKit, is a systemd [emphasis mine] SUID-root program.

    PolicyKit is not part of or related to systemd - it pre-dates systemd's existence.

    • Re: (Score:3, Funny)

      Comment removed based on user account deletion
    • by gweihir ( 88907 ) on Wednesday January 26, 2022 @12:53AM (#62208211)

      Not true. It typically depends on libsystemd0 and gets installed with systemd: https://packages.debian.org/bu... [debian.org]
      It may be possible to install it without a systemd installation, but that will at least be difficult.

      Basically if you install systemd you also get policykit and are vulnerable. If you use a sane init-system, you do not have policykit.

      Some minimal fact-checking ability required to comment competently.

      • Alas, elogind (ie, pieces of systemd extracted for use with sane init systems) includes bits needed for policykit, to let modern desktop environments run unmodified. Thus, using a sane init doesn't imply you're safe here.

        • by gweihir ( 88907 )

          At least on Debian, pkexec is not in elogind. But there is a recommended dependency on policykit-1 and that depends on libsystemd0.

          Seems this crap can creep in in other ways too.

          • by Antique Geekmeister ( 740220 ) on Wednesday January 26, 2022 @03:35AM (#62208409)

            It didn't "creep in". It's been deliberate by Lennart Pottering and his fans for the last decade to replace as much of the system core tools as possible, believing that a monolithic and Linux-only set of tools can replace decades of UNIX developments. Some of the architectural debacles have been fairly predictable, others were not specifically predicted but their class of errors is not surprising.

            • Some of the architectural debacles have been fairly predictable

              The architectural debacles may be predictable but completely unrelated to systemd. Policykit only depends on systemd since systemd introduced functionality that it was previously providing.

              You want the year of Linux on desktop? It needs to act as a desktop OS. That includes providing functionality that users expect, functionality such as what policy kit provides. Now as to how these applications hook into the underlying system you can either use another library (what a fucking foreign concept in Linux amiri

              • by sjames ( 1099 ) on Wednesday January 26, 2022 @08:03AM (#62208737) Homepage Journal

                There's simple, well defined use of modular libraries and then there's kitchen sink dependency. Next thing you know, excessive use of the windshield washer deflates your spare tire.

              • Some have been quite predictable, other failures were quite the surprise. The binary-only logging system are one set, rather than text based logging system compatible with existing log analysis tools were one class and introduced issues with Unicode output as well. The creeping expansion into logind functionality, especially the unexpected, unrecorded, and unwelcome termination of background processes, was another. Interweaving systemd with Polkit, which used to be more modular, makes patching it more dange

                • by hey00 ( 5046921 ) on Wednesday January 26, 2022 @09:14AM (#62208863)

                  Systemd has proprietized Linux, making core functionality completely incompatible and non-portable to other operating systems. The ongoing proprietization of Linux has been severe.

                  What do you expect when you have a for profit company with lots of influence on some core parts of the OS? They try to extend that influence more and more to de facto control the OS.

                  Redhat/IBM has slowly taken over nearly every critical part of GNU/Linux (often by beating out canonical who was also trying): sound, display server, init, networking, logging, login, DE (gnome is still the default DE on most big distribs), package management (flatpak is thankfully facing resistance though) etc.

                  Systemd is their crown jewel through which they can slowly replace every core GNU utility one by one. Their wet dream has to be taking over the kernel.

                  We are playing a very dangerous game of putting all our eggs in the same basket. A basket held by a for profit company that has proven to be untrustworthy (remember CentOS) and that has entirely different goals from us (by definition, they have only one goal: make more money for their shareholders, even if that would mean burning gnu/linux to the ground).

                • by gweihir ( 88907 )

                  It is not (yet) that bad actually. I run Debian without systemd and Gentoo without systemd. Both work pretty well. If something requires systemd or its components, I simply regard that as not being part of Linux anymore and do without it.

                  I do agree on the general idea behind systemd though: Make Linux like Windows, remove as much user-choice as possible.

            • by gweihir ( 88907 )

              Well, that was wordplay because as developer I consider Poettering a "creep". Probably too subtle, my apologies.

              Fully agree on the rest. Poettering obviously has "kernel envy" and wants to ideally wrap the kernel so everybody has to use his crap.

          • by vbdasc ( 146051 )

            libsystemd0 is very hard to be avoided in Debian, at least if the user wants to run Gnome. A large number of other packages depend indirectly on libsystemd0 too. I'm running elogind myself, but I can't get rid of libsystemd0 if I want to have a semblance of an useful system. Still, elogind + libsystemd0 is the way lesser evil than the full systemd, thank God.

            • by gweihir ( 88907 )

              libsystemd0 is very hard to be avoided in Debian, at least if the user wants to run Gnome. A large number of other packages depend indirectly on libsystemd0 too. I'm running elogind myself, but I can't get rid of libsystemd0 if I want to have a semblance of an useful system. Still, elogind + libsystemd0 is the way lesser evil than the full systemd, thank God.

              Why would I ever want to run Gnome? I looked at it way back and found my FVWM setup was way better.

              But yes, you have a point. I still wonder whether Gnome got actively corrupted by Red Hat or whether they did this stupid thing all by themselves.

      • by shoor ( 33382 )

        Here's an anecdotal data point: I just read the article on my pclinuxos system, which does not use systemd. I did a 'which pkexec', and, lo and behold, there it was in /usr/bin. I'll check my devuan system next time I fire it up.

        • by gweihir ( 88907 )

          Here's an anecdotal data point: I just read the article on my pclinuxos system, which does not use systemd. I did a 'which pkexec', and, lo and behold, there it was in /usr/bin. I'll check my devuan system next time I fire it up.

          Maybe you got infected via elogind as somebody else pointed out.

          Devuan should not have libsystem0 and hence no policykit with pkexec. But if would be good to get confirmation on that. I tried finding pkexec via the devuan website packet search and it seems it is not present. I am not 100% confident on that though.

        • by Tetch ( 534754 )

          Here's another anecdotal data point: I just checked on a Debian Squeeze system I (still) have running here, which according to my notes was "installed from AMD64 netinst.iso 6.0.4 on 12/03/2012".

          root@mybox:~# cat /etc/debian_version
          6.0.10
          root@mybox:~# ls -l /usr/bin/pkexec
          -rwsr-xr-x 1 root root 19584 Jan 29 2012 /usr/bin/pkexec
          root@mybox:~# chmod 755 /usr/bin/pkexec

          systemd first appeared in Debian Jessie (8.0) in 2015.

      • by thegarbz ( 1787294 ) on Wednesday January 26, 2022 @06:01AM (#62208571)

        Not true. It typically depends on libsystemd0 and gets installed with systemd

        Yes true. It depends on systemd *NOW*. That doesn't change the fact that it is not part of systemd, predates systemd, was not developed by people working on systemd, and was installed by default on distributions before systemd was even introduced.

        Basically if you install systemd you also get policykit and are vulnerable

        And? That doesn't make it a systemd component. If you install any Debian based OS, even ones predating the systemd move, and even Devuan the specifically anti-systemd distribution you get policykit, just in the case of Devuan they use a shim instead of libsystemd0.

        Some minimal fact-checking ability required to comment competently.

        Fuck me man. If I posted as much garbage as you did I would die of shame if I were also such a smartass.

        • by vbdasc ( 146051 )

          It depends on systemd *NOW*

          It depends on libsystemd0, at least in recent Debian versions. Are you saying that systemd and libsystemd0 are the same thing? Isn't libsystemd0 just a tiny part of systemd?

      • by Burdell ( 228580 )

        On my system, pkexec is linked against over two dozen shared libraries - that doesn't make it a part of glibc or PCRE or any of the others. The fact that PolKit can integrate with systemd does not make it a part of systemd.

        You should try some fact-checking - the summary says this bug dates back to 2009, which is before systemd was even released.

      • by jwdb ( 526327 )

        Basically if you install systemd you also get policykit and are vulnerable. If you use a sane init-system, you do not have policykit.

        Some minimal fact-checking ability required to comment competently.

        Slackware current uses sysV but also installs policykit.
        Glass houses, and all that?

  • At last... (Score:5, Funny)

    by dogcar3604 ( 1482103 ) on Tuesday January 25, 2022 @11:19PM (#62208111)
    ...we can finally stop talking about log4j...
  • C string and array manipulation FTW.

    • by Anonymous Coward

      On the bright side 13,000 eyeballs* were on the job and caught this quickly. Truely a win for open source over proprietary.

      *(13 years * 1,000 eyeballs)

      • I'm pretty surprised this took so long to get out. (notice I don't say find, because a found vuln that's not out is a 0day, conceivable someone secretly exploiting that never got caught with the exploit method.) I thought there were people fuzzing suid binaries like crazy that would have found this long ago. I mean user input to setuid binaries is like the second set of stuff to look at when trying to come up with a new zero day. (remote input to elevated privs binaries being the first, of course)

        However to

        • by gweihir ( 88907 )

          Much more likely that a closed source bug like this would be found by a black hat.

          And that is the point. Sure, there is stupid code in Linux distros and some of it in core functionality. I advise the interested reader to have a look at the "fixed" source code of pkexec for a good example how to _not_ do things. But the thing is that such a vulnerability will stay non-public far longer on closed source and, in addition, when it gets discovered on open source you can directly verify what is going on while on closed source you can just trust the vendor. For policykit, after a look at the so

          • > will stay non-public far longer on closed source a

            Given the people who can, and do, have developer licenses to source code, or who can steal it, there is no guarantee of this. Obfuscating the source code, for example by weaving it into systemd, takes eyes away from seeing it.

            • by gweihir ( 88907 )

              I meant "non-public" = "only known to attackers" and it is a tendency not an assurance.

              Fully agree on Systemd though. Nobody sane and competent will waste time on that of their own free will.

    • Worth being said, if you are writing C code, make sure you use an alternate string library (or have some other method to avoid these kinds of bugs).

  • This is just the kind of high quality work I expect IBM to do.

  • Details, details... (Score:4, Informative)

    by beowulf01 ( 843871 ) on Wednesday January 26, 2022 @12:44AM (#62208201)

    For one, I am glad I do not run a "major" linux distribution (Slackware).

    From Qualys article (full of a hard sell for their security product), and left out of the ZDNet article:

    "Is this vulnerability remotely exploitable?
    No. But if an attacker can log in as any unprivileged user, the vulnerability can be quickly exploited to gain root privileges."

    *yawn*

    • Re: (Score:2, Interesting)

      by Anonymous Coward
      • by jmccue ( 834797 )

        yes, Slackware does come with it, and it is in Current.

        But, Slackware has a lot of things that may or may not get used. I strongly suspect polkit is only used when someone wants to use KDE (and maybe xfce4) in Slackware. If on a regular WM like I use, I doubt it is used. I will play around to see.

        In anycase Slackware released a patch for it yesterday.

  • by gweihir ( 88907 ) on Wednesday January 26, 2022 @12:48AM (#62208205)

    Basically, if you use systemd, you typically also use policykit and are vulnerable. If you do not use systemd but a sane init-system, you generally do not have policykit and are not vulnerable to this. There may be a way to install poicykit without systemd, but it depends, for example, on libsystemd0, so it would require at least a partial systemd installation to work.

    The cancer that came over to Linux from the Windows-minded and incompetents with big egos is not limited to core systemd.

    I stay far away from systemd and I have nothing to patch here on any of my installations using several different distros. The only instance of pkexec I have is from an old backup of an orange-pi zero installation before I nuked systemd on it.

    • Re: (Score:3, Informative)

      by Anonymous Coward

      The PolicyKit software is named "polkit" on Red Hat based systems, including Amazon Linux. Its incestuous interlacing with systemd is Lennart Pottering's fault: he used to write pulseaudio, which relies on it, and he *loves, loves, loves* to violate basic security and performance practices like "not breaking other people's working software" in favor of his Tower of Systemd Babylon approach to the operating system stack.

    • Policykit predated systemd, it was created in 2009 and wasn't put into the systemd project until 2012 (where it was renamed to polkit) so it is used on far more systems than just systemd ones. For example it's used on OpenBSD, however it's not exploitable on OpenBSD because the OpenBSD kernel refuses to execve() a program if argc is 0
    • Re: (Score:3, Insightful)

      by thegarbz ( 1787294 )

      If you do not use systemd but a sane init-system, you generally do not have policykit and are not vulnerable to this.

      Stop being such an ignorant idiot. Policykit was a default component of distributions regardless of init system, it was a default component of RedHat and Debian before the introduction of systemd, and it's also included by default in anti-systemd distributions such as Devuan.

      But you made an anti-systemd comment so I guess we should shower you with modpoints.

    • Re: (Score:3, Informative)

      Comment removed based on user account deletion
  • Why would my path contain an equal sign? And i suppose there needs te be a folder named âoename=âoe in the PWD where i run the command that polkit executes.
    So just running
    PATH=name=abcd some_polkit_command
    Would do the trick just by itself? Or is it only the PATH that a root shell has access to?

    • by gweihir ( 88907 )

      This is a local privilege escalation. The attacker can set PATH to whatever they like before calling pkexec because they are logged in.

  • Why PwnKit (Score:5, Funny)

    by Ă…ke Malmgren ( 3402337 ) on Wednesday January 26, 2022 @01:32AM (#62208253)
    When they could've called it PkAxe?
  • by gweihir ( 88907 ) on Wednesday January 26, 2022 @01:50AM (#62208269)

    Who writes crap like this? And in an suid binary, no less! The problem basically is

    ...

    for (n = 1; n < (guint) argc; n++) {...}
    ...

    Very obviously, argc can be 0. This gross error indicates a lack of even a basic clue as to how argc/argv works. There is also absolutely no validation on argc to make sure it is >= 1. Again, in a frigging suid program. Incredible. Then they make it worse by writing argv[n].

    Even copy/paste coding for argc processing would have been better. The first few Duckduckgo links with examples _all_ do it right. There is one (!) that starts n at 1, but they make sure that n is greater than 0 before.

    The people at Qualys probably found this with some utterly simple fuzzing, which means some people will have known about it for a long, long time as that is a basic, cheap and completely standard approach to look for vulnerabilities in commandline programs.

    • by gweihir ( 88907 ) on Wednesday January 26, 2022 @02:28AM (#62208339)

      Also note that to fix it, they added a value check on argc not directly before it is used, but far enough away that somebody may not connect the two. Oh, and they do utter crap like jumping out of the for-loop with a "goto" or messing with the loop counter within the loop. This is really, really crappy code written by people that think they are smart.

      Incredible. That code should be indented down 6 feet and covered with dirt.

    • Actually, this code is not a problem, because if argc is 0 the loop will not be executed.

      This code cannot create a memory corruption problem...

    • by pjrc ( 134994 )

      C "for" loops perform iteration test before starting. So if n = 1 and argc = 0, the loop will not run.

      The question "Who writes crap like this?" could also be asked of your overly heated message with incorrect analysis of the code.

      • by gweihir ( 88907 )

        Wrong. n is set to 1 and that causes the vulnerability. Yes, n gets used after the loop and is assumed to be valid.

        As to crap code, I invite you to read the pkexec sources and then again claim that this is reasonable code.

    • for (n = 1; n < (guint) argc; n++) {...} ...

      Very obviously, argc can be 0. This gross error indicates a lack of even a basic clue as to how argc/argv works.

      Leave it to gweirhir constantly mocking everyone elses intelligence to post something like this and get modded +5 for it.

      I would ask if 1 is less than 0 but I'm afraid someone will say YES.

      • by gweihir ( 88907 )

        Well, you have obviously not looked at the code or the analysis of the problem. How pathetic.

        The little detail you are unaware of is that the vulnerability is not _in_ the loop but _after_ it and it uses n which gets set to 1 by the loop even if the loop does not run.

        And that nicely explains why I get up-modded and you do not.

    • Maybe my programming is rusty but if argc = 0 then it never hits this part of the code. Sure there could be problems elsewhere in the code but not here.
  • This is a school boy error and should have been picked up years ago. The fact that such a basic bug hasn't been spotted in all this time shows that no one has bothered to vet this rather critical code - or if they did then not this boring enviroment variable part. It also doesn't say a lot about the skills of the original programmer if he can't even get something this fucking simple working correctly.

    I'm not going to blame OSS and community dev because I've seen similar bugs in commercial software I've work

    • by dsanfte ( 443781 ) on Wednesday January 26, 2022 @05:09AM (#62208511) Journal

      I'll go a step further. It's not safe to write C code without robust automated vulnerability scanning/fuzzing before you release it. And even then it's a risk.

      As long as we have memory-unsafe languages like C we will have an endless stream of vulnerabilities, because humans aren't perfect.

    • by ledow ( 319597 )

      Indeed, and given polkit's own description:

      polkit is a toolkit for defining and handling authorizations. It is
      used for allowing unprivileged processes to speak to privileged
      processes.

      Sounds like the kind of software that should be under EXTREME scrutiny.

  • https://seclists.org/oss-sec/2... [seclists.org]

    "The bug is caused by an integer underflow ... [which] results in miscalculation of a valid max length. A bounds check is present ... however, if the value of size is greater than or equal to 4095, the unsigned subtraction will underflow ... so the check will not trigger. "

    Surely this generates a compile time warning ?!?!?!?!?

    I cannot tell you how many serious bugs I have fixed which were a direct result of some ass-hat totally ignoring compiler warnings.

    • by Entrope ( 68843 )

      No, that's a different thing. This just initialized a variable to 1, realized argv[1] wasn't a program argument, and proceeded to use it anyway.

  • Looks like my machines got Debian autoupdates this morning:

    > 2022-01-26 06:11:04 status installed policykit-1:amd64 0.105-25+deb10u1

  • I'm not a Linux expert, but after reading more about Systemd I get the feeling it's like the MPC from Tron.
    • by hey00 ( 5046921 )

      Systemd solved some real problems on GNU/Linux. But it is now used as a trojan horse to replace every piece of code that sits between the kernel and the user applications by new tools written by script kiddies who think all the experience we got through decades of UNIX development is worthless and who think they know better.

      They don't, their "new" and "better" tools have the same bugs that were fixed decades ago. The only things they are better at is being interdependant, breaking compatibility with existin

    • by caseih ( 160668 )

      You certainly aren't an expert and neither apparently are any of the other anti-systemd folk above. It's almost comical to read if it weren't laced with such bile and personal attacks on one of the developers.

      polkit is on most systems that don't have systemd as well. No MCP there.

      • When I referred to reading more about Systemd, I wasn't referring to Slashdot comments. It's quite clear from the latter that Systemd is a contentious issue. I was referring to reading external sources describing Systemd and it's capabilities. It seemed to me that Systemd is a large multifaceted integrated system used to control many aspects of the Linux OS, kind of like the MPC from Tron. This isn't a judgement of Systemd, just an observation.

To stay youthful, stay useful.

Working...