|
|
Пишет LWN.net (![[info]](http://lj.rossia.org/img/syndicated.gif){kind=small} syn_lwnheadline)@ 2021-06-10 22:01:00 |
 |
|
 |
|
|
|
|
|
|
 |
|
 |
Privilege escalation with polkit: How to get root on Linux with a seven-year-old bug (GitHub blog)
On the GitHub blog, Kevin Backhouse writes
about a privilege escalation vulnerability in polkit, which
"enables an unprivileged local user to get a root shell on the
system" CVE-2021-3560
"is triggered by starting a dbus-send command but killing it while
polkit is still in the middle of processing the request. [...] Why does
killing the dbus-send command cause an authentication bypass? The
vulnerability is in step four of the sequence of events listed above. What
happens if polkit asks dbus-daemon for the UID of connection :1.96, but
connection :1.96 no longer exists? dbus-daemon handles that situation
correctly and returns an error. But it turns out that polkit does not
handle that error correctly. In fact, polkit mishandles the error in a
particularly unfortunate way: rather than rejecting the request, it treats
the request as though it came from a process with UID 0. In other words, it
immediately authorizes the request because it thinks the request has come
from a root process."
On the GitHub blog, Kevin Backhouse writes
about a privilege escalation vulnerability in polkit, which
"enables an unprivileged local user to get a root shell on the
system" CVE-2021-3560
"is triggered by starting a dbus-send command but killing it while
polkit is still in the middle of processing the request. [...] Why does
killing the dbus-send command cause an authentication bypass? The
vulnerability is in step four of the sequence of events listed above. What
happens if polkit asks dbus-daemon for the UID of connection :1.96, but
connection :1.96 no longer exists? dbus-daemon handles that situation
correctly and returns an error. But it turns out that polkit does not
handle that error correctly. In fact, polkit mishandles the error in a
particularly unfortunate way: rather than rejecting the request, it treats
the request as though it came from a process with UID 0. In other words, it
immediately authorizes the request because it thinks the request has come
from a root process."
