Bug 1002375 - (CVE-2013-4288) CVE-2013-4288 polkit: unix-process subject for authorization is racy
CVE-2013-4288 polkit: unix-process subject for authorization is racy
Status: NEW
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
impact=important,public=20130918,repo...
: Security
Depends On: 1005135 1006262 1006264 1009538
Blocks: 1002376
  Show dependency treegraph
 
Reported: 2013-08-29 00:02 EDT by Vincent Danen
Modified: 2016-04-18 20:38 EDT (History)
17 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
polkit patch (18.29 KB, patch)
2013-09-08 23:09 EDT, Huzaifa S. Sidhpurwala
no flags Details | Diff
spice-gtk patch (1.54 KB, patch)
2013-09-08 23:11 EDT, Huzaifa S. Sidhpurwala
no flags Details | Diff
hplip patch (1.92 KB, patch)
2013-09-08 23:13 EDT, Huzaifa S. Sidhpurwala
no flags Details | Diff
rtkit patch (2.49 KB, patch)
2013-09-08 23:15 EDT, Huzaifa S. Sidhpurwala
no flags Details | Diff
systemd.patch (4.08 KB, patch)
2013-09-08 23:16 EDT, Huzaifa S. Sidhpurwala
no flags Details | Diff

  None (edit)
Description Vincent Danen 2013-08-29 00:02:35 EDT
Sebastian Krahmer reported a race condition in the polkit unix-process subject for authorization. It depended on the (PID, startup_time) pair to be passed to pokkit, which then used /proc/PID/status to find the UID the process belongs to. A local attacker could exploit this issue via a polkit enabled application, by starting a suid or pkexec process, changing the eud and/or uid at will. This could result in bypass polkit authorizations or even privilege escalation in some cases.
Comment 11 Huzaifa S. Sidhpurwala 2013-09-08 23:09:49 EDT
Created attachment 795472 [details]
polkit patch
Comment 12 Huzaifa S. Sidhpurwala 2013-09-08 23:11:39 EDT
Created attachment 795473 [details]
spice-gtk patch

Instead of using polkit_unix_process_new() which can be racy, spice-gtk is modified to use polkit_unix_process_new_for_owner()
Comment 13 Huzaifa S. Sidhpurwala 2013-09-08 23:13:53 EDT
Created attachment 795474 [details]
hplip patch

hplip invokes polkit via dbus, the patch passes system-bus-name as subject, not pid to polkit
Comment 14 Huzaifa S. Sidhpurwala 2013-09-08 23:15:57 EDT
Created attachment 795475 [details]
rtkit patch

Pass uid of caller to polkit
Comment 15 Huzaifa S. Sidhpurwala 2013-09-08 23:16:34 EDT
Created attachment 795476 [details]
systemd.patch
Comment 16 Huzaifa S. Sidhpurwala 2013-09-08 23:32:43 EDT
As per polkit documentation:

"polkit applications are applications using the polkit authority as a decider component. They do this by installing a .policy file into the /usr/share/polkit-1/actions directory and communicating with the polkit authority at runtime (either via the D-Bus API or indirectly through the libpolkit-gobject-1 library or the pkcheck command)."

So the attached pokit patch attempts to address this issue in all the 3 ways by which the polkit authority is invoked.

1. libpolkit-gobject-1:
polkit_unix_process_new() is deprecated and is polkit_unix_process_new_for_owner() should now be used in its place. This way we avoid a race condition if the parent execve()s a setuid program.

2. dbus API:
Modify dbus API to accept system-bus-name as subject, not pid

3. pkcheck:
Modify pkcheck: Support --process=pid,start-time,uid

Based on the above changes consumers of polkit using specific API are also changed.

spice-gtk: Uses polkit_unix_process_new(), changed to now use polkit_unix_process_new_for_owner()

hplip/rtkit/systemd: Used dbus, modified to use the new dbus syntax.

libvirt: Uses pkcheck, modified to use newer pkcheck syntax, major changes were made to incorporate the new change.
Comment 17 Colin Walters 2013-09-09 17:19:10 EDT
(In reply to Huzaifa S. Sidhpurwala from comment #11)
> Created attachment 795472 [details]
> polkit patch

Note I recommend that clients only update with patches 1 and 2 here - 3 and 4 are merely cleanups that I want to do as a separate step.  Or really, only patch 2 is needed.

I've updated my git repository to reflect that by moving 1,3,4 to a separate cleanups/ directory.
Comment 20 Huzaifa S. Sidhpurwala 2013-09-11 01:51:50 EDT
Note:

The components described in Comment #16 are also affected by this flaw. They have been assigned separate CVEs as per the following:

CVE-2013-4311 libvirt: insecure calling of polkit via libgobject API
CVE-2013-4324 spice-gtk: use of insecure polkit libgobject-1 API
CVE-2013-4325 hplip: use of insecure polkit DBUS API
CVE-2013-4326 rtkit: use of insecure polkit DBUS API
CVE-2013-4327 systemd: use of insecure polkit DBUS API
Comment 21 Murray McAllister 2013-09-16 23:59:14 EDT
Acknowledgements:

Red Hat would like to thank Sebastian Krahmer of the SUSE Security Team for reporting this issue.
Comment 22 Vincent Danen 2013-09-18 11:07:37 EDT
This is now public:

http://www.openwall.com/lists/oss-security/2013/09/18/4
Comment 23 Vincent Danen 2013-09-18 11:24:12 EDT
Created polkit tracking bugs for this issue:

Affects: fedora-all [bug 1009538]
Comment 24 errata-xmlrpc 2013-09-19 14:10:14 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2013:1270 https://rhn.redhat.com/errata/RHSA-2013-1270.html
Comment 25 Fedora Update System 2013-09-20 12:22:34 EDT
polkit-0.112-1.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 26 Fedora Update System 2013-09-22 00:28:04 EDT
polkit-0.107-6.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 27 Fedora Update System 2013-09-22 20:12:24 EDT
polkit-0.112-1.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.