Navigation
Search
|
Privilege escalation with polkit: How to get root on Linux with a seven-year-old bug (GitHub blog)
Friday June 11, 2021. 12:01 AM , from LWN.net
On the GitHub blog, Kevin Backhouse writes
about a privilege escalation vulnerability in polkit, which 'enables an unprivileged local user to get a root shell on the system' CVE-2021-3560 'is triggered by starting a dbus-send command but killing it while polkit is still in the middle of processing the request. Why does killing the dbus-send command cause an authentication bypass? The vulnerability is in step four of the sequence of events listed above. What happens if polkit asks dbus-daemon for the UID of connection:1.96, but connection:1.96 no longer exists? dbus-daemon handles that situation correctly and returns an error. But it turns out that polkit does not handle that error correctly. In fact, polkit mishandles the error in a particularly unfortunate way: rather than rejecting the request, it treats the request as though it came from a process with UID 0. In other words, it immediately authorizes the request because it thinks the request has come from a root process.'
https://lwn.net/Articles/859064/rss
|
25 sources
Current Date
Apr, Sat 27 - 16:15 CEST
|