Bug 692922 (CVE-2011-1485)

Summary: CVE-2011-1485 polkit: polkitd/pkexec vulnerability
Product: [Other] Security Response Reporter: David Zeuthen <davidz>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: bressers, jlieskov, mclasen, mvadkert, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-01-27 15:43:39 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 692941, 692942, 697951    
Bug Blocks:    
Attachments:
Description Flags
Patch 1/4
none
Patch 2/4
none
Patch 3/4
none
Patch 4/4
none
polkit 0.96 patch 1/4
none
polkit 0.96 patch 2/4
none
polkit 0.96 patch 3/4
none
polkit 0.96 patch 4/4 none

Description David Zeuthen 2011-04-01 17:24:01 UTC 
I was contacted privately about a potential vulnerability in polkitd and pkexec.

Briefly, the problem is that the UID for the parent process of pkexec(1) is read from /proc by stat(2)'ing /proc/PID.

The problem with this is that this returns the effective uid of the process which can easily be set to 0 by invoking a setuid-root binary such as /usr/bin/chsh in the parent process of pkexec(1). Instead we are really interested in the real-user-id.

While there's a check in pkexec.c to avoid this problem (by comparing it to what we expect the uid to be - namely that of the pkexec.c process itself which is the uid of the parent process at pkexec-spawn-time), there is still a short window where an attacker can fool pkexec/polkitd into thinking that the parent process has uid 0 and is therefore authorized. It's pretty hard to hit this window - I actually don't know if it can be made to work in practice.

Either way, if exploitable (which I think it is), this bug is a local root exploit so we should treat it like that. Now that there is no vendor-sec list anymore, I don't know what it means wrt to embargoing? (so far this issue has been kept confidential - and the patches fixing this are not yet publicly available)

I already have patches for polkit master to fix this problem (to look up the right uid) and also avoid having to look up the UID in /proc/PID at all (doing so is generally causes TOCTTOU bugs). These patches should all work in the polkit versions shipped in supported versions of Fedora.

I am right now working on patches for RHEL6.
Comment 4 David Zeuthen 2011-04-01 19:21:29 UTC 
Created attachment 489458 [details]
Patch 1/4
Comment 5 David Zeuthen 2011-04-01 19:22:15 UTC 
Created attachment 489461 [details]
Patch 2/4
Comment 6 David Zeuthen 2011-04-01 19:22:46 UTC 
Created attachment 489462 [details]
Patch 3/4
Comment 7 David Zeuthen 2011-04-01 19:23:07 UTC 
Created attachment 489463 [details]
Patch 4/4
Comment 9 David Zeuthen 2011-04-11 18:24:20 UTC 
Created attachment 491306 [details]
polkit 0.96 patch 1/4
Comment 10 David Zeuthen 2011-04-11 18:24:38 UTC 
Created attachment 491307 [details]
polkit 0.96 patch 2/4
Comment 11 David Zeuthen 2011-04-11 18:24:53 UTC 
Created attachment 491308 [details]
polkit 0.96 patch 3/4
Comment 12 David Zeuthen 2011-04-11 18:25:08 UTC 
Created attachment 491309 [details]
polkit 0.96 patch 4/4
Comment 13 David Zeuthen 2011-04-11 18:26:43 UTC 
polkit 0.96, as shipped in RHEL6, is a bit different from git master. I've attached the patches for 0.96 in comment 9, comment 10, comment 11 and comment 12. These patches will appear in a polkit-0-96 branch in the upstream git repo once the embargo has been lifted.
Comment 14 Josh Bressers 2011-04-14 15:01:15 UTC 
Acknowledgements:

Red Hat would like to thank Neel Mehta of Google for reporting this issue.
Comment 17 Jan Lieskovsky 2011-04-19 18:28:11 UTC 
Created polkit tracking bugs for this issue

Affects: fedora-all [bug 697951]
Comment 19 errata-xmlrpc 2011-04-19 18:38:27 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2011:0455 https://rhn.redhat.com/errata/RHSA-2011-0455.html