[BreachExchange] Linux System Service Bug Allows You to Gain Root Access

Mon Jun 14 13:41:56 EDT 2021

https://www.ehackingnews.com/2021/06/linux-system-service-bug-allows-you-to.html

An authentication bypass vulnerability in the polkit auth system service,
which is installed by default on many recent Linux distributions, allows
unprivileged attackers to gain a root shell. On June 3, 2021, the polkit
local privilege escalation flaw (CVE-2021-3560) was officially identified,
and a fix was released. Polkit is used by systemd, hence it's included in
any Linux distribution that uses systemd.

Kevin Backhouse, a GitHub security researcher, detailed how he discovered
the bug (CVE-2021-3560) in a systemd service called polkit in a blog post
on Thursday. The problem, which was first introduced in commit bfa5036
seven years ago and first shipped in polkit version 0.113, took various
pathways in different Linux distributions. Despite the fact that many Linux
distributions did not ship with the vulnerable polkit version until
recently, any Linux machine with polkit 0.113 or later installed is
vulnerable to attacks.

Polkit, formerly known as PolicyKit, is a service that determines whether
certain Linux tasks require more privileges than there are currently
available. It comes into play when you want to establish a new user
account, for example. According to Backhouse, exploiting the issue is
shockingly simple, needing only a few commands utilizing common terminal
tools such as bash, kill, and dbus-send.

"The vulnerability is triggered by starting a dbus-send command but killing
it while polkit is still in the middle of processing the request,"
explained Backhouse. Polkit asks for the UID of a connection that no longer
exists, therefore killing dbus-send — an interprocess communication command
– in the middle of an authentication request creates an error (because the
connection was killed).

"In fact, polkit mishandles the error in a particularly unfortunate way:
rather than rejecting the request, it treats the request as though it came
from a process with UID 0," explains Backhouse. "In other words, it
immediately authorizes the request because it thinks the request has come
from a root process."

Because polkit's UID query to the dbus-daemon occurs numerous times
throughout different code paths, this doesn't happen all of the time.
According to Backhouse, those code pathways usually handle the error
correctly, but one is vulnerable, and if the disconnection occurs while
that code path is running, privilege escalation occurs. It's all about
timing, which varies in unanticipated ways due to the involvement of
various processes. Backhouse believes the bug's intermittent nature is why
it went unnoticed for seven years.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210614/a895e905/attachment.html>