Date: Fri, 7 Apr 2017 10:41:59 +0200 From: Matthias Gerstner <mgerstner@...e.de> To: oss-security@...ts.openwall.com Subject: CVE-2017-7572: backintime: usage of deprecated unix-process polkit authorization subject opens a race condition during authorization Hello, backintime includes a DBus service helper 'qt/serviceHelper.py'. This helper uses polkit to authorize some of its APIs, they should only be accessible through entering the root password. The helper program uses the deprecated "unix-process" authorization subject for this purpose, however. This polkit authorization method is known to be affected by a "time of check, time of use" race condition: https://www.freedesktop.org/software/polkit/docs/latest/PolkitUnixProcess.html#polkit-unix-process-new https://github.com/Kabot/Unix-Privilege-Escalation-Exploits-Pack/blob/master/2011/CVE-2011-1485/polkit-pwnage.c To exploit this issue an attacker needs to be able to replace the PID of a process that requests an affected polkit privilege by a root owned process, just in time for polkitd to assume that the requesting process was privileged and no further password entry is required. In the worst case this could allow a regular user to add udev rules to the system that run commands in the context of the regular user, once a certain udev event occurs. I don't think it is easily possible to gain root privileges this way. This is because the serviceHelper wraps the udev commands in a sudo call running as the user owning the requesting process. The determination of this identity is done in a different, more secure way. I've proposed a fix to upstream that changes the authorization mechanism to "system-bus-name" which is considered safe and not affected by the described race condition. This issue was discovered by Sebastian Krahmer of the SUSE security team. References: [Suggested patch] https://github.com/bit-team/backintime/commit/7f208dc547f569b689c888103e3b593a48cd1869 [openSUSE bug] https://bugzilla.suse.com/show_bug.cgi?id=1032717 -- Matthias Gerstner <matthias.gerstner@...e.de> Dipl.-Wirtsch.-Inf. (FH), Security Engineer https://www.suse.com/security Telefon: +49 911 740 53 290 SUSE Linux GmbH GF: Felix Imendörffer, Jane Smithard, Graham Norton HRB 21284 (AG Nuernberg) Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ