#VU16313 Command injection in PolicyKit - CVE-2018-19788
Published: December 7, 2018 / Updated: April 7, 2020
Vulnerability identifier: #VU16313
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Clear
CVE-ID: CVE-2018-19788
CWE-ID: CWE-77
Exploitation vector: Local access
Exploit availability:
Public exploit is available
Vulnerable software:
PolicyKit
PolicyKit
Software vendor:
Freedesktop.org
Freedesktop.org
Description
The vulnerability allows a local authenticated attacker to execute arbitrary commands on the target system.
The vulnerability exists due to PolicyKit's improper validation of permission requests for any low-privileged user with UID greater than INT_MAX, a constant in computer programming that defines what maximum value an integer variable can store, which equals to 2147483647 (in hexadecimal 0x7FFFFFFF). A local authenticated attacker with a uid greater than INT_MAX can execute any systemctl command.
Remediation
The patch just refuses to initialize uid and gid values to negative. A nicer fix is to change the underlying type to e.g. gint64 to allow
the full range of values in uid_t and gid_t to be represented. But this cannot be done without breaking the API, so likely new functions
will have to be added (a polkit_unix_user_new variant that takes a gint64, and the same for _group_new, _set_uid, _get_uid, _set_gid,
_get_gid, etc.). This will require a bigger patch.
the full range of values in uid_t and gid_t to be represented. But this cannot be done without breaking the API, so likely new functions
will have to be added (a polkit_unix_user_new variant that takes a gint64, and the same for _group_new, _set_uid, _get_uid, _set_gid,
_get_gid, etc.). This will require a bigger patch.