Bug 692922 - (CVE-2011-1485) CVE-2011-1485 polkitd/pkexec vulnerability
CVE-2011-1485 polkitd/pkexec vulnerability
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
public=20110419,reported=20110401,sou...
: Security
Depends On: 692941 692942 697951
Blocks:
  Show dependency treegraph
 
Reported: 2011-04-01 13:24 EDT by David Zeuthen
Modified: 2015-11-24 09:37 EST (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-01-27 10:43:39 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
Patch 1/4 (3.81 KB, patch)
2011-04-01 15:21 EDT, David Zeuthen
no flags Details | Diff
Patch 2/4 (21.16 KB, patch)
2011-04-01 15:22 EDT, David Zeuthen
no flags Details | Diff
Patch 3/4 (1.49 KB, patch)
2011-04-01 15:22 EDT, David Zeuthen
no flags Details | Diff
Patch 4/4 (4.57 KB, patch)
2011-04-01 15:23 EDT, David Zeuthen
no flags Details | Diff
polkit 0.96 patch 1/4 (3.49 KB, patch)
2011-04-11 14:24 EDT, David Zeuthen
no flags Details | Diff
polkit 0.96 patch 2/4 (22.41 KB, patch)
2011-04-11 14:24 EDT, David Zeuthen
no flags Details | Diff
polkit 0.96 patch 3/4 (1.46 KB, patch)
2011-04-11 14:24 EDT, David Zeuthen
no flags Details | Diff
polkit 0.96 patch 4/4 (4.54 KB, patch)
2011-04-11 14:25 EDT, David Zeuthen
no flags Details | Diff

  None (edit)
Description David Zeuthen 2011-04-01 13:24:01 EDT
I was contacted privately about a potential vulnerability in polkitd and pkexec.

Briefly, the problem is that the UID for the parent process of pkexec(1) is read from /proc by stat(2)'ing /proc/PID.

The problem with this is that this returns the effective uid of the process which can easily be set to 0 by invoking a setuid-root binary such as /usr/bin/chsh in the parent process of pkexec(1). Instead we are really interested in the real-user-id.

While there's a check in pkexec.c to avoid this problem (by comparing it to what we expect the uid to be - namely that of the pkexec.c process itself which is the uid of the parent process at pkexec-spawn-time), there is still a short window where an attacker can fool pkexec/polkitd into thinking that the parent process has uid 0 and is therefore authorized. It's pretty hard to hit this window - I actually don't know if it can be made to work in practice.

Either way, if exploitable (which I think it is), this bug is a local root exploit so we should treat it like that. Now that there is no vendor-sec list anymore, I don't know what it means wrt to embargoing? (so far this issue has been kept confidential - and the patches fixing this are not yet publicly available)

I already have patches for polkit master to fix this problem (to look up the right uid) and also avoid having to look up the UID in /proc/PID at all (doing so is generally causes TOCTTOU bugs). These patches should all work in the polkit versions shipped in supported versions of Fedora.

I am right now working on patches for RHEL6.
Comment 4 David Zeuthen 2011-04-01 15:21:29 EDT
Created attachment 489458 [details]
Patch 1/4
Comment 5 David Zeuthen 2011-04-01 15:22:15 EDT
Created attachment 489461 [details]
Patch 2/4
Comment 6 David Zeuthen 2011-04-01 15:22:46 EDT
Created attachment 489462 [details]
Patch 3/4
Comment 7 David Zeuthen 2011-04-01 15:23:07 EDT
Created attachment 489463 [details]
Patch 4/4
Comment 9 David Zeuthen 2011-04-11 14:24:20 EDT
Created attachment 491306 [details]
polkit 0.96 patch 1/4
Comment 10 David Zeuthen 2011-04-11 14:24:38 EDT
Created attachment 491307 [details]
polkit 0.96 patch 2/4
Comment 11 David Zeuthen 2011-04-11 14:24:53 EDT
Created attachment 491308 [details]
polkit 0.96 patch 3/4
Comment 12 David Zeuthen 2011-04-11 14:25:08 EDT
Created attachment 491309 [details]
polkit 0.96 patch 4/4
Comment 13 David Zeuthen 2011-04-11 14:26:43 EDT
polkit 0.96, as shipped in RHEL6, is a bit different from git master. I've attached the patches for 0.96 in comment 9, comment 10, comment 11 and comment 12. These patches will appear in a polkit-0-96 branch in the upstream git repo once the embargo has been lifted.
Comment 14 Josh Bressers 2011-04-14 11:01:15 EDT
Acknowledgements:

Red Hat would like to thank Neel Mehta of Google for reporting this issue.
Comment 17 Jan Lieskovsky 2011-04-19 14:28:11 EDT
Created polkit tracking bugs for this issue

Affects: fedora-all [bug 697951]
Comment 19 errata-xmlrpc 2011-04-19 14:38:27 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2011:0455 https://rhn.redhat.com/errata/RHSA-2011-0455.html

Note You need to log in before you can comment on or make changes to this bug.