Bug 1002375 (CVE-2013-4288) - CVE-2013-4288 polkit: unix-process subject for authorization is racy
Summary: CVE-2013-4288 polkit: unix-process subject for authorization is racy
Keywords:
Status: NEW
Alias: CVE-2013-4288
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=important,public=20130918,repo...
Depends On: 1005135 1006262 1006264 1009538
Blocks: 1002376
TreeView+ depends on / blocked
 
Reported: 2013-08-29 04:02 UTC by Vincent Danen
Modified: 2019-08-19 07:48 UTC (History)
15 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)
polkit patch (18.29 KB, patch)
2013-09-09 03:09 UTC, Huzaifa S. Sidhpurwala
no flags Details | Diff
spice-gtk patch (1.54 KB, patch)
2013-09-09 03:11 UTC, Huzaifa S. Sidhpurwala
no flags Details | Diff
hplip patch (1.92 KB, patch)
2013-09-09 03:13 UTC, Huzaifa S. Sidhpurwala
no flags Details | Diff
rtkit patch (2.49 KB, patch)
2013-09-09 03:15 UTC, Huzaifa S. Sidhpurwala
no flags Details | Diff
systemd.patch (4.08 KB, patch)
2013-09-09 03:16 UTC, Huzaifa S. Sidhpurwala
no flags Details | Diff


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2013:1270 normal SHIPPED_LIVE Important: polkit security update 2013-09-19 22:03:21 UTC

Description Vincent Danen 2013-08-29 04:02:35 UTC
Sebastian Krahmer reported a race condition in the polkit unix-process subject for authorization. It depended on the (PID, startup_time) pair to be passed to pokkit, which then used /proc/PID/status to find the UID the process belongs to. A local attacker could exploit this issue via a polkit enabled application, by starting a suid or pkexec process, changing the eud and/or uid at will. This could result in bypass polkit authorizations or even privilege escalation in some cases.

Comment 11 Huzaifa S. Sidhpurwala 2013-09-09 03:09:49 UTC
Created attachment 795472 [details]
polkit patch

Comment 12 Huzaifa S. Sidhpurwala 2013-09-09 03:11:39 UTC
Created attachment 795473 [details]
spice-gtk patch

Instead of using polkit_unix_process_new() which can be racy, spice-gtk is modified to use polkit_unix_process_new_for_owner()

Comment 13 Huzaifa S. Sidhpurwala 2013-09-09 03:13:53 UTC
Created attachment 795474 [details]
hplip patch

hplip invokes polkit via dbus, the patch passes system-bus-name as subject, not pid to polkit

Comment 14 Huzaifa S. Sidhpurwala 2013-09-09 03:15:57 UTC
Created attachment 795475 [details]
rtkit patch

Pass uid of caller to polkit

Comment 15 Huzaifa S. Sidhpurwala 2013-09-09 03:16:34 UTC
Created attachment 795476 [details]
systemd.patch

Comment 16 Huzaifa S. Sidhpurwala 2013-09-09 03:32:43 UTC
As per polkit documentation:

"polkit applications are applications using the polkit authority as a decider component. They do this by installing a .policy file into the /usr/share/polkit-1/actions directory and communicating with the polkit authority at runtime (either via the D-Bus API or indirectly through the libpolkit-gobject-1 library or the pkcheck command)."

So the attached pokit patch attempts to address this issue in all the 3 ways by which the polkit authority is invoked.

1. libpolkit-gobject-1:
polkit_unix_process_new() is deprecated and is polkit_unix_process_new_for_owner() should now be used in its place. This way we avoid a race condition if the parent execve()s a setuid program.

2. dbus API:
Modify dbus API to accept system-bus-name as subject, not pid

3. pkcheck:
Modify pkcheck: Support --process=pid,start-time,uid

Based on the above changes consumers of polkit using specific API are also changed.

spice-gtk: Uses polkit_unix_process_new(), changed to now use polkit_unix_process_new_for_owner()

hplip/rtkit/systemd: Used dbus, modified to use the new dbus syntax.

libvirt: Uses pkcheck, modified to use newer pkcheck syntax, major changes were made to incorporate the new change.

Comment 17 Colin Walters 2013-09-09 21:19:10 UTC
(In reply to Huzaifa S. Sidhpurwala from comment #11)
> Created attachment 795472 [details]
> polkit patch

Note I recommend that clients only update with patches 1 and 2 here - 3 and 4 are merely cleanups that I want to do as a separate step.  Or really, only patch 2 is needed.

I've updated my git repository to reflect that by moving 1,3,4 to a separate cleanups/ directory.

Comment 20 Huzaifa S. Sidhpurwala 2013-09-11 05:51:50 UTC
Note:

The components described in Comment #16 are also affected by this flaw. They have been assigned separate CVEs as per the following:

CVE-2013-4311 libvirt: insecure calling of polkit via libgobject API
CVE-2013-4324 spice-gtk: use of insecure polkit libgobject-1 API
CVE-2013-4325 hplip: use of insecure polkit DBUS API
CVE-2013-4326 rtkit: use of insecure polkit DBUS API
CVE-2013-4327 systemd: use of insecure polkit DBUS API

Comment 21 Murray McAllister 2013-09-17 03:59:14 UTC
Acknowledgements:

Red Hat would like to thank Sebastian Krahmer of the SUSE Security Team for reporting this issue.

Comment 22 Vincent Danen 2013-09-18 15:07:37 UTC
This is now public:

http://www.openwall.com/lists/oss-security/2013/09/18/4

Comment 23 Vincent Danen 2013-09-18 15:24:12 UTC
Created polkit tracking bugs for this issue:

Affects: fedora-all [bug 1009538]

Comment 24 errata-xmlrpc 2013-09-19 18:10:14 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2013:1270 https://rhn.redhat.com/errata/RHSA-2013-1270.html

Comment 25 Fedora Update System 2013-09-20 16:22:34 UTC
polkit-0.112-1.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 26 Fedora Update System 2013-09-22 04:28:04 UTC
polkit-0.107-6.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 27 Fedora Update System 2013-09-23 00:12:24 UTC
polkit-0.112-1.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.