Command execution in PolicyKit

Published: 2018-12-07 10:01:13
Severity Low
Patch available NO
Number of vulnerabilities 1
CVE ID CVE-2018-19788
CVSSv3 7.2 [CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:W/RC:C]
CWE ID CWE-77
Exploitation vector Local
Public exploit Public exploit code for vulnerability #1 is available.
Vulnerable software PolicyKit
Vulnerable software versions PolicyKit 0.115
Vendor URL Freedesktop.org

Security Advisory

1) Command injection

Description

The vulnerability allows a local authenticated attacker to execute arbitrary commands on the target system.

The vulnerability exists due to PolicyKit's improper validation of permission requests for any low-privileged user with UID greater than INT_MAX, a constant in computer programming that defines what maximum value an integer variable can store, which equals to 2147483647 (in hexadecimal 0x7FFFFFFF). A local authenticated attacker with a uid greater than INT_MAX can execute any systemctl command.

Remediation

The patch just refuses to initialize uid and gid values to negative. A nicer fix is to change the underlying type to e.g. gint64 to allow
the full range of values in uid_t and gid_t to be represented. But this cannot be done without breaking the API, so likely new functions
will have to be added (a polkit_unix_user_new variant that takes a gint64, and the same for _group_new, _set_uid, _get_uid, _set_gid,
_get_gid, etc.). This will require a bigger patch.

External links

https://gitlab.freedesktop.org/polkit/polkit/issues/74

Back to List