Who, Us? Linux Root Bug Quietly Added 7 Years Ago
A nasty vulnerability in most Linux distributions is raising eyebrows among the penguinistas. A simple unchecked error in the polkit component can let a user get root with just a couple of commands.
The security bug has been there for seven years. Patches are now available, so you know what to do and when to do it.
But how did this happen? In today’s SB Blogwatch, we unpick the story.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Demonstrably an LPE.
Linux Lovers, Look the Other Way
What’s the craic? Thomas Claburn reports—“Seven-year-old make-me-root bug in Linux service polkit patched”:
Polkit version 0.113 or later”
GitHub security researcher Kevin Backhouse … found the bug (CVE-2021-3560) in a service called polkit associated with systemd, a common Linux system and service manager component. … Formerly known as PolicyKit, polkit is a service that evaluates whether specific Linux activities require higher privileges than those currently available.
…
Linux systems that have polkit version 0.113 or later installed – like Debian (unstable), RHEL 8, Fedora 21+, and Ubuntu 20.04 – are affected.
Not so fast. Cedric Buissart clarifies—“Local privilege escalation using polkit_system_bus_name_get_creds_sync()”:
Backported”
Vulnerable versions: from 0.113 until 0.118, but some distributions may have backported the vulnerability. [For example,] some Debian based distros (e.g.: Ubuntu 20.04), based on 0.105, appear to also be vulnerable, as the commit was backported.
…
CVSS Score: 7.8 – AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H.
And Sergiu Gatlan adds—“Linux system service bug lets you get root on most modern distros”:
Exposed to attacks”
Exploiting the vulnerability is surprisingly easy as it only takes a few terminal commands using only standard tools such as bash, kill, and dbus-send. … Even though many Linux distributions haven’t shipped with the vulnerable polkit version until recently, any Linux system shipping with [a vulnerable] polkit … installed is exposed to attacks.
Greek to you? DrXym translates:
UAC on Windows”
polkit is a desktop service that allows userland applications to run elevated actions. Basically serving the equivalent [of] UAC on Windows.
Horse’s mouth, anyone? Kevin Backhouse explains, “How to get root on Linux with a seven-year-old bug”:
It’s important that you update”
My job is to help improve the security of open source software by finding and reporting vulnerabilities. A few weeks ago, I found a privilege escalation vulnerability in polkit. I coordinated the disclosure of the vulnerability with the polkit maintainers and with Red Hat’s security team.
…
Polkit … essentially plays the role of a judge. If you want to do something that requires higher privileges—for example, creating a new user account—then it’s polkit’s job to decide whether or not you’re allowed to do it. For some requests, polkit will make an instant decision to allow or deny, and for others it will pop up a dialog box so that an administrator can grant authorization by entering their password.
…
Killing the dbus-send command cause[s] an authentication bypass. … If polkit asks dbus-daemon for the UID … polkit mishandles the error in a particularly unfortunate way: … it treats the request as though it came from a process with UID 0. In other words, it immediately authorizes the request because it thinks the request has come from a root process.
…
It’s very simple and quick to exploit, so it’s important that you update your Linux installations as soon as possible.
Even simpler if someone wrote some script-kiddie fodder. Someone like hakivvi:
Exploit the vulnerability”
I decided to write a PoC using dbus C API, I didn’t use sleep() while waiting for the message to be sent to the target service. Instead, DBus functions provide a timeout paramter, so by (ab)using this parameter we can force the function to return just after it sends the message, then killing the process, this will allow us to exploit the vulnerability on polkit and bypass the authentication.
So how terrible is the bug? Here’s flatiron:
Terrible”
Take a look at the bug. It’s polkit defaulting to 0 if dbus is down for the UID. … Defaulting a uid to 0 is terrible.
You can almost see the eye-rolling from here. Steve Graham rolls a pair of ones:
What could possibly go wrong?”
Burn it with fire. This exactly justifies my nuke of polkit any time it appears as a dependency.
A process designed to bypass the traditional Unix security model? What could possibly go wrong?
As does dane-pgp:
Lava field”
I can’t help imagining a distro developer looking out at systemd across a lava field and saying: “You were the chosen one! It was said that you would destroy the badly designed legacy components, not join them!”
So Randseed gathers some more entropy: [You’re fired—Ed.]
Chasing the badly designed Windows Registry”
I know the arguments for systemd vs. the traditional init system, but in reality systemd is more trouble than it’s worth in many cases. That entire paradigm of ideas leads to not even having easily accessible logs for processes.
…
I want to be able to look at syslog and see everything. If I need to filter it, I can either use pipes and shell level tools, or I can write a program that goes off and intelligently filters the logs.
Systemd, to me, at least, always seemed like somebody’s idea of chasing the badly designed Windows Registry and whatever passes for their error reporting system.
Meanwhile, what was ESR’s famous quote about open source and bugs? ArchieBunker is shallow:
Many eyes”
I guess the many eyes missed this one.
And Finally:
Kevin demos the vuln’ and the ’sploit
You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. E&OE. 30.