Command execution in PolicyKit

1) Command injection

EUVDB-ID: #VU16313

Risk: Low

CVSSv3.1: 7.2 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:W/RC:C]

CVE-ID: CVE-2018-19788

CWE-ID: CWE-77 - Command injection

Exploit availability: Yes

Description

The vulnerability allows a local authenticated attacker to execute arbitrary commands on the target system.

The vulnerability exists due to PolicyKit's improper validation of permission requests for any low-privileged user with UID greater than INT_MAX, a constant in computer programming that defines what maximum value an integer variable can store, which equals to 2147483647 (in hexadecimal 0x7FFFFFFF). A local authenticated attacker with a uid greater than INT_MAX can execute any systemctl command.

Mitigation

The patch just refuses to initialize uid and gid values to negative. A nicer fix is to change the underlying type to e.g. gint64 to allow
the full range of values in uid_t and gid_t to be represented. But this cannot be done without breaking the API, so likely new functions
will have to be added (a polkit_unix_user_new variant that takes a gint64, and the same for _group_new, _set_uid, _get_uid, _set_gid,
_get_gid, etc.). This will require a bigger patch.

Vulnerable software versions

PolicyKit: 0.115

External links

http://gitlab.freedesktop.org/polkit/polkit/issues/74

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.