oss-sec mailing list archives

CVE-2017-7572: backintime: usage of deprecated unix-process polkit authorization subject opens a race condition during authorization

From: Matthias Gerstner <mgerstner () suse de>
Date: Fri, 7 Apr 2017 10:41:59 +0200

Hello,

backintime includes a DBus service helper 'qt/serviceHelper.py'. This helper
uses polkit to authorize some of its APIs, they should only be accessible
through entering the root password. The helper program uses the deprecated
"unix-process" authorization subject for this purpose, however. This polkit
authorization method is known to be affected by a "time of check, time of use"
race condition:

https://www.freedesktop.org/software/polkit/docs/latest/PolkitUnixProcess.html#polkit-unix-process-new
https://github.com/Kabot/Unix-Privilege-Escalation-Exploits-Pack/blob/master/2011/CVE-2011-1485/polkit-pwnage.c

To exploit this issue an attacker needs to be able to replace the PID of
a process that requests an affected polkit privilege by a root owned
process, just in time for polkitd to assume that the requesting process
was privileged and no further password entry is required.

In the worst case this could allow a regular user to add udev rules to the
system that run commands in the context of the regular user, once a certain
udev event occurs. I don't think it is easily possible to gain root privileges
this way. This is because the serviceHelper wraps the udev commands in a sudo
call running as the user owning the requesting process. The determination of
this identity is done in a different, more secure way.

I've proposed a fix to upstream that changes the authorization mechanism to
"system-bus-name" which is considered safe and not affected by the described
race condition.

This issue was discovered by Sebastian Krahmer of the SUSE security team.

References:

[Suggested patch] https://github.com/bit-team/backintime/commit/7f208dc547f569b689c888103e3b593a48cd1869
[openSUSE bug] https://bugzilla.suse.com/show_bug.cgi?id=1032717

--
Matthias Gerstner <matthias.gerstner () suse de>
Dipl.-Wirtsch.-Inf. (FH), Security Engineer
https://www.suse.com/security
Telefon: +49 911 740 53 290

SUSE Linux GmbH
GF: Felix Imendörffer, Jane Smithard, Graham Norton
HRB 21284 (AG Nuernberg)

Attachment: signature.asc
Description: Digital signature

Current thread:

CVE-2017-7572: backintime: usage of deprecated unix-process polkit authorization subject opens a race condition during authorization Matthias Gerstner (Apr 07)