Command execution in PolicyKit

Published: 2018-12-07 10:01:13
Severity Low
Patch available NO
Number of vulnerabilities 1
CVE ID CVE-2018-19788
Exploitation vector Local
Public exploit Public exploit code for vulnerability #1 is available.
Vulnerable software PolicyKit
Vulnerable software versions PolicyKit 0.115
Vendor URL

Security Advisory

1) Command injection


The vulnerability allows a local authenticated attacker to execute arbitrary commands on the target system.

The vulnerability exists due to PolicyKit's improper validation of permission requests for any low-privileged user with UID greater than INT_MAX, a constant in computer programming that defines what maximum value an integer variable can store, which equals to 2147483647 (in hexadecimal 0x7FFFFFFF). A local authenticated attacker with a uid greater than INT_MAX can execute any systemctl command.


The patch just refuses to initialize uid and gid values to negative. A nicer fix is to change the underlying type to e.g. gint64 to allow
the full range of values in uid_t and gid_t to be represented. But this cannot be done without breaking the API, so likely new functions
will have to be added (a polkit_unix_user_new variant that takes a gint64, and the same for _group_new, _set_uid, _get_uid, _set_gid,
_get_gid, etc.). This will require a bigger patch.

External links

Back to List