Red Hat Bugzilla – Bug 692922
CVE-2011-1485 polkitd/pkexec vulnerability
Last modified: 2015-11-24 09:37:51 EST
I was contacted privately about a potential vulnerability in polkitd and pkexec.
Briefly, the problem is that the UID for the parent process of pkexec(1) is read from /proc by stat(2)'ing /proc/PID.
The problem with this is that this returns the effective uid of the process which can easily be set to 0 by invoking a setuid-root binary such as /usr/bin/chsh in the parent process of pkexec(1). Instead we are really interested in the real-user-id.
While there's a check in pkexec.c to avoid this problem (by comparing it to what we expect the uid to be - namely that of the pkexec.c process itself which is the uid of the parent process at pkexec-spawn-time), there is still a short window where an attacker can fool pkexec/polkitd into thinking that the parent process has uid 0 and is therefore authorized. It's pretty hard to hit this window - I actually don't know if it can be made to work in practice.
Either way, if exploitable (which I think it is), this bug is a local root exploit so we should treat it like that. Now that there is no vendor-sec list anymore, I don't know what it means wrt to embargoing? (so far this issue has been kept confidential - and the patches fixing this are not yet publicly available)
I already have patches for polkit master to fix this problem (to look up the right uid) and also avoid having to look up the UID in /proc/PID at all (doing so is generally causes TOCTTOU bugs). These patches should all work in the polkit versions shipped in supported versions of Fedora.
I am right now working on patches for RHEL6.
Created attachment 489458 [details]
Created attachment 489461 [details]
Created attachment 489462 [details]
Created attachment 489463 [details]
Created attachment 491306 [details]
polkit 0.96 patch 1/4
Created attachment 491307 [details]
polkit 0.96 patch 2/4
Created attachment 491308 [details]
polkit 0.96 patch 3/4
Created attachment 491309 [details]
polkit 0.96 patch 4/4
polkit 0.96, as shipped in RHEL6, is a bit different from git master. I've attached the patches for 0.96 in comment 9, comment 10, comment 11 and comment 12. These patches will appear in a polkit-0-96 branch in the upstream git repo once the embargo has been lifted.
Red Hat would like to thank Neel Mehta of Google for reporting this issue.
Created polkit tracking bugs for this issue
Affects: fedora-all [bug 697951]
This issue has been addressed in following products:
Red Hat Enterprise Linux 6
Via RHSA-2011:0455 https://rhn.redhat.com/errata/RHSA-2011-0455.html