oss-sec mailing list archives
Re: pwnkit: Local Privilege Escalation in polkit's pkexec (CVE-2021-4034)
From: Kai Lüke <kai () kinvolk io>
Date: Thu, 27 Jan 2022 13:45:33 +0100
Dominik Czarnota: And many other binaries also do things incorrectly
The setuid binary polkit-agent-helper-1 has checks in place for argc in the usual code paths but when it's not executed with euid 0 (i.e., it's not setuid), there is an argv[0] deref through printf which luckily handles gracefully and prints "(null)" instead: polkit-agent-helper-1: needs to be setuid root PAM_ERROR_MSG Incorrect permissions on (null) (needs to be setuid root) I wonder however, if the amount of setuid binaries couldn't be reduced, in this case by offloading the PAM auth check to the polkit daemon again (which could verify the client's programs uid through the Unix Domain Socket). An alternative to pkexec that is not setuid but also uses polkit auth is systemd-run (here is an attempt at mimicking the sudo UX: https://gist.github.com/pothos/73dd4f7694acc3b6bbed614438f6e2b1). -- Kinvolk GmbH | Adalbertstr.6a, 10999 Berlin | tel: +491755589364 Geschäftsführer/Directors: Benjamin Owen Orndorff Registergericht/Court of registration: Amtsgericht Charlottenburg Registernummer/Registration number: HRB 171414 B Ust-ID-Nummer/VAT ID number: DE302207000
Current thread:
- pwnkit: Local Privilege Escalation in polkit's pkexec (CVE-2021-4034) Qualys Security Advisory (Jan 25)
- Re: pwnkit: Local Privilege Escalation in polkit's pkexec (CVE-2021-4034) Sam James (Jan 25)
- Re: pwnkit: Local Privilege Escalation in polkit's pkexec (CVE-2021-4034) Roman Medina-Heigl Hernandez (Jan 26)
- Re: pwnkit: Local Privilege Escalation in polkit's pkexec (CVE-2021-4034) Henri Salo (Jan 26)
- Re: pwnkit: Local Privilege Escalation in polkit's pkexec (CVE-2021-4034) Erik Auerswald (Jan 26)
- Re: pwnkit: Local Privilege Escalation in polkit's pkexec (CVE-2021-4034) Chris Boot (Jan 27)
- Re: pwnkit: Local Privilege Escalation in polkit's pkexec (CVE-2021-4034) Roman Medina-Heigl Hernandez (Jan 26)
- Re: pwnkit: Local Privilege Escalation in polkit's pkexec (CVE-2021-4034) Sam James (Jan 25)
- Re: pwnkit: Local Privilege Escalation in polkit's pkexec (CVE-2021-4034) Dominik Czarnota (Jan 26)
- Re: pwnkit: Local Privilege Escalation in polkit's pkexec (CVE-2021-4034) Kai Lüke (Jan 27)
- Re: pwnkit: Local Privilege Escalation in polkit's pkexec (CVE-2021-4034) Bastian Blank (Jan 27)