Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bugzilla DB migration completed. Please report issues to Infra team via email via infra@gentoo.org or IRC
Bug 485328 - [Tracker] polkit races
Summary: [Tracker] polkit races
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard:
Keywords: Tracker
Depends on: CVE-2013-4288 CVE-2013-4311 CVE-2013-4324 CVE-2013-4327 CVE-2013-4325 CVE-2013-4326
Blocks:
  Show dependency tree
 
Reported: 2013-09-18 18:32 UTC by Agostino Sarubbo
Modified: 2014-06-26 23:06 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2013-09-18 18:32:20 UTC
From $URL:

The polkit unix-process subject for authorization is racy. It depended
on the (PID, startup_time) pair to be passed to polkit which then used /proc/PID/status
to find out the UID the process belongs to. Meanwhile the process could
have started a suid or pkexec process, changing the euid and/or uid at will.
The startup_time does not protect here, as its not changed across an execve().

Using /proc/PID/loginuid wont work either, as one could abuse fork-spawning
processes such as sshd, apache etc. to re-use recently freed process slots,
faking the loginuid. startup_time would theoretically help here, yet as
its not atomically passed along the message which is subject to polkit
authorization, the privileged process needs to learn it by looking up
/proc/PID/, which is racy again.

Therefore the only thing that could be used is the UID that is passed
atomically in the peer cred struct when receiving the message in question.

The whole thing needs fixing in polkit, to deprecate PID authorization
as well as several core packages to make use of the new API, or use
systembus authorization.

After discussing with upstream, Colin Walters made this private git of patches
available:

http://people.freedesktop.org/~walters/secret/38b060a751ac96384cd9327eb1b1e36a21fdb71114be07434c0cc7bf63f6e1da274edebfe76f65fbd51ad2f14898b95b/

Feel free to suggest improvements if necessary.

As required by list policy, I request a CRD of Sept 11th.

We also need CVE's assigned.

A PoC with example client/server which demonstrates the race
can be found here (it basically simulates libvirtd's way of
checking):

http://suse.de/~krahmer/priv/polkit-race.tgz
Comment 1 Agostino Sarubbo gentoo-dev 2013-09-18 18:32:57 UTC
This is a (probably preliminary) list of CVEs and applications affected:

CVE-2013-4288 polkit: unix-process subject for authorization is racy
CVE-2013-4311 libvirt: insecure calling of polkit via libgobject API
CVE-2013-4324 spice-gtk: use of insecure polkit libgobject-1 API
CVE-2013-4325 hplip: use of insecure polkit DBUS API
CVE-2013-4326 rtkit: use of insecure polkit DBUS API
CVE-2013-4327 systemd: use of insecure polkit DBUS API
Comment 3 Samuli Suominen gentoo-dev 2013-09-19 15:51:18 UTC
Plus Cardoe committed 0.112 to tree today for this CVE.
Comment 4 Doug Goldstein gentoo-dev 2013-09-24 19:51:15 UTC
I know at least rtkit, hplip, and systemd are all vulnerable to this.