Stories
Slash Boxes
Comments

SoylentNews is people

posted by martyb on Thursday January 27 2022, @04:34AM   Printer-friendly

Major Linux PolicyKit security vulnerability uncovered: Pwnkit:

Polkit, formerly known as PolicyKit, is a systemd SUID-root program. It's installed by default in every major Linux distribution.

[...] This vulnerability is easy to exploit. And, with it, any ordinary user can gain full root privileges on a vulnerable computer by exploiting this vulnerability in its default configuration. As Qualys wrote in its brief description of the problem: "This vulnerability is an attacker's dream come true."

[...] Why is it so bad? Let us count the ways:

  • Pkexec is installed by default on all major Linux distributions.
  • Qualys has exploited Ubuntu, Debian, Fedora, and CentOS in their tests, and they're sure other distributions are also exploitable.
  • Pkexec has been vulnerable since its creation in May 2009 (commit c8c3d83, "Add a pkexec(1) command").
  • An unprivileged local user can exploit this vulnerability to get full root privileges.
  • Although this vulnerability is technically a memory corruption, it is exploitable instantly and reliably in an architecture-independent way.
  • And, last but not least, it's exploitable even if the polkit daemon itself is not running.

[...] While we know Linux can be attacked, Solaris and other Unix systems may also be vulnerable. We do know, however, that OpenBSD can't be attacked by exploits using this vulnerability.

Red Hat rates the PwnKit as having a Common Vulnerability Scoring System (CVSS) score of 7.8. This is high.

When used correctly, Polkit provides an organized way for non-privileged processes to communicate with privileged processes. It is also possible to use polkit to execute commands with elevated privileges using the command pkexec followed by the command intended to be executed with root permission.


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 5, Informative) by digitalaudiorock on Thursday January 27 2022, @01:43PM (2 children)

    by digitalaudiorock (688) on Thursday January 27 2022, @01:43PM (#1216150) Journal

    Sadly. As noted, it's a systemd thing.

    I'm running Gentoo with no systemd and no polkit. Interestingly though, I think the recent recommendations to not run X as root likely changed that for many. Running X as non-root uses elogind. It's default configuration uses polkit, and I've read that at least some users seem to have had difficultly getting that elogind setup working without it. When I saw the BS that configuration wanted to install, I opted to just set enable my "suid" USE flag on xorg-server, and to continue running X as root. Several users on the Gentoo forums seriously question whether running X as root is truly less secure than depending on other security nightmare BS like this to run shit as root on your behalf...myself among them. This vulnerability is pretty telling in that regard.

    Starting Score:    1  point
    Moderation   +3  
       Insightful=1, Informative=2, Total=3
    Extra 'Informative' Modifier   0  
    Karma-Bonus Modifier   +1  

    Total Score:   5  
  • (Score: 0) by Anonymous Coward on Thursday January 27 2022, @02:20PM (1 child)

    by Anonymous Coward on Thursday January 27 2022, @02:20PM (#1216156)

    This exactly. Though, my Gentoo system has enough dependencies on polkit that I seem to have wound up with it anyway, even though I don't use systemd, Wayland, nor any desktop bloatware environment. The main culprits (the things that would be hard to get rid of or which I need) are libvirt and elogind. And mythtv has a transitive dependency via udisks, which I'd rather not have itself (maybe the package dependencies can be moved behind a use flag).

    Because ConsoleKit is dead, Gentoo more or less forced everyone to switch to elogind. And, to be honest, I am not even that unhappy with elogind. I don't think you can pin this on elogind, and X being setuid has caused this kind of problem in the past.

    • (Score: 4, Interesting) by digitalaudiorock on Thursday January 27 2022, @02:30PM

      by digitalaudiorock (688) on Thursday January 27 2022, @02:30PM (#1216158) Journal

      Interesting that you mentioned udisks and MythTV. I've been using MythTV since 2007. Currently I'm still running 29.1 but with an ebuild of my own. Among other things, like modifying it to not require QtWekKit, I just dropped the udisks requirement. I find that, at least with only one DVD drive on the frontend (which I never really use anymore anyway) there's no need for it at all.