Bug 692922 (CVE-2011-1485) - CVE-2011-1485 polkitd/pkexec vulnerability
Summary: CVE-2011-1485 polkitd/pkexec vulnerability
Alias: CVE-2011-1485
Product: Security Response
Classification: Other
Component: vulnerability   
(Show other bugs)
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Whiteboard: public=20110419,reported=20110401,sou...
Keywords: Security
Depends On: 692941 692942 697951
TreeView+ depends on / blocked
Reported: 2011-04-01 17:24 UTC by David Zeuthen
Modified: 2018-02-12 18:53 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2012-01-27 15:43:39 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Patch 1/4 (3.81 KB, patch)
2011-04-01 19:21 UTC, David Zeuthen
no flags Details | Diff
Patch 2/4 (21.16 KB, patch)
2011-04-01 19:22 UTC, David Zeuthen
no flags Details | Diff
Patch 3/4 (1.49 KB, patch)
2011-04-01 19:22 UTC, David Zeuthen
no flags Details | Diff
Patch 4/4 (4.57 KB, patch)
2011-04-01 19:23 UTC, David Zeuthen
no flags Details | Diff
polkit 0.96 patch 1/4 (3.49 KB, patch)
2011-04-11 18:24 UTC, David Zeuthen
no flags Details | Diff
polkit 0.96 patch 2/4 (22.41 KB, patch)
2011-04-11 18:24 UTC, David Zeuthen
no flags Details | Diff
polkit 0.96 patch 3/4 (1.46 KB, patch)
2011-04-11 18:24 UTC, David Zeuthen
no flags Details | Diff
polkit 0.96 patch 4/4 (4.54 KB, patch)
2011-04-11 18:25 UTC, David Zeuthen
no flags Details | Diff

External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2011:0455 normal SHIPPED_LIVE Important: polkit security update 2011-04-19 18:38:21 UTC

Description David Zeuthen 2011-04-01 17:24:01 UTC
I was contacted privately about a potential vulnerability in polkitd and pkexec.

Briefly, the problem is that the UID for the parent process of pkexec(1) is read from /proc by stat(2)'ing /proc/PID.

The problem with this is that this returns the effective uid of the process which can easily be set to 0 by invoking a setuid-root binary such as /usr/bin/chsh in the parent process of pkexec(1). Instead we are really interested in the real-user-id.

While there's a check in pkexec.c to avoid this problem (by comparing it to what we expect the uid to be - namely that of the pkexec.c process itself which is the uid of the parent process at pkexec-spawn-time), there is still a short window where an attacker can fool pkexec/polkitd into thinking that the parent process has uid 0 and is therefore authorized. It's pretty hard to hit this window - I actually don't know if it can be made to work in practice.

Either way, if exploitable (which I think it is), this bug is a local root exploit so we should treat it like that. Now that there is no vendor-sec list anymore, I don't know what it means wrt to embargoing? (so far this issue has been kept confidential - and the patches fixing this are not yet publicly available)

I already have patches for polkit master to fix this problem (to look up the right uid) and also avoid having to look up the UID in /proc/PID at all (doing so is generally causes TOCTTOU bugs). These patches should all work in the polkit versions shipped in supported versions of Fedora.

I am right now working on patches for RHEL6.

Comment 4 David Zeuthen 2011-04-01 19:21:29 UTC
Created attachment 489458 [details]
Patch 1/4

Comment 5 David Zeuthen 2011-04-01 19:22:15 UTC
Created attachment 489461 [details]
Patch 2/4

Comment 6 David Zeuthen 2011-04-01 19:22:46 UTC
Created attachment 489462 [details]
Patch 3/4

Comment 7 David Zeuthen 2011-04-01 19:23:07 UTC
Created attachment 489463 [details]
Patch 4/4

Comment 9 David Zeuthen 2011-04-11 18:24:20 UTC
Created attachment 491306 [details]
polkit 0.96 patch 1/4

Comment 10 David Zeuthen 2011-04-11 18:24:38 UTC
Created attachment 491307 [details]
polkit 0.96 patch 2/4

Comment 11 David Zeuthen 2011-04-11 18:24:53 UTC
Created attachment 491308 [details]
polkit 0.96 patch 3/4

Comment 12 David Zeuthen 2011-04-11 18:25:08 UTC
Created attachment 491309 [details]
polkit 0.96 patch 4/4

Comment 13 David Zeuthen 2011-04-11 18:26:43 UTC
polkit 0.96, as shipped in RHEL6, is a bit different from git master. I've attached the patches for 0.96 in comment 9, comment 10, comment 11 and comment 12. These patches will appear in a polkit-0-96 branch in the upstream git repo once the embargo has been lifted.

Comment 14 Josh Bressers 2011-04-14 15:01:15 UTC

Red Hat would like to thank Neel Mehta of Google for reporting this issue.

Comment 17 Jan Lieskovsky 2011-04-19 18:28:11 UTC
Created polkit tracking bugs for this issue

Affects: fedora-all [bug 697951]

Comment 19 errata-xmlrpc 2011-04-19 18:38:27 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2011:0455 https://rhn.redhat.com/errata/RHSA-2011-0455.html

Note You need to log in before you can comment on or make changes to this bug.