[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 3 Dec 2018 22:22:12 +0100
From: Salvatore Bonaccorso <carnil@...ian.org>
To: OSS Security Mailinglist <oss-security@...ts.openwall.com>
Subject: PolicyKit: CVE-2018-19788: Improper handling of user with uid >
INT_MAX leading to authentication bypass
Hi
In https://gitlab.freedesktop.org/polkit/polkit/issues/74 (which got
assigned CVE-2018-19788 by MITRE) it was reported that a user with uid
> INT_MAX could successfully execute any systemctl command (but the
issue is broader than that).
There is a proposed commit: https://gitlab.freedesktop.org/zbyszek/polkit/commit/fbaab32cb4ed9ed5f1e3eea6cd317d443aa427dc
> From fbaab32cb4ed9ed5f1e3eea6cd317d443aa427dc Mon Sep 17 00:00:00 2001
> From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@...waw.pl>
> Date: Mon, 3 Dec 2018 12:51:26 +0100
> Subject: [PATCH] Check gid and uid initalization in PolkitUnixUser and Group
> objects
>
> When a user or group above INT32_MAX is created, the numeric uid or
> gid wraps around to negative when the value is assigned to gint, and
> polkit gets confused. Let's refuse such uids and gids.
>
> This patch just refuses to initialize uid and gid values to negative.
> A nicer fix is to change the underlying type to e.g. gint64 to allow
> the full range of values in uid_t and gid_t to be represented. But
> this cannot be done without breaking the API, so likely new functions
> will have to be added (a polkit_unix_user_new variant that takes a
> gint64, and the same for _group_new, _set_uid, _get_uid, _set_gid,
> _get_gid, etc.). This will require a bigger patch.
>
> Fixes https://gitlab.freedesktop.org/polkit/polkit/issues/74.
>
> Example sessions from uid=4000000000:
>
> Dec 03 14:35:08 krowka polkitd[21432]: system-bus-name::1.41869 is inquiring whether system-bus-name::1.79432 is authorized for org.freedesktop.systemd1.manage-units
> Dec 03 14:35:08 krowka polkitd[21432]: user of caller is unix-user:root
> Dec 03 14:35:08 krowka polkitd[21432]: polkit_unix_user_new: assertion 'uid >= 0' failed
> Dec 03 14:35:08 krowka polkitd[21432]: polkit_identity_to_string: assertion 'POLKIT_IS_IDENTITY (identity)' failed
> Dec 03 14:35:08 krowka polkitd[21432]: user of subject is (null)
> Dec 03 14:35:08 krowka polkitd[21432]: polkit_identity_equal: assertion 'POLKIT_IS_IDENTITY (b)' failed
> Dec 03 14:35:08 krowka polkitd[21432]: checking whether system-bus-name::1.79432 is authorized for org.freedesktop.systemd1.manage-units
> Dec 03 14:35:08 krowka polkitd[21432]: polkit_unix_user_new: assertion 'uid >= 0' failed
> Dec 03 14:35:08 krowka polkitd[21432]:
> Dec 03 14:35:08 krowka polkitd[21432]: polkit_authorization_result_get_is_challenge: assertion 'POLKIT_IS_AUTHORIZATION_RESULT (result)' failed
> Dec 03 14:35:08 krowka polkitd[21432]: g_object_ref: assertion 'G_IS_OBJECT (object)' failed
> Dec 03 14:35:08 krowka polkitd[21432]: g_object_ref: assertion 'G_IS_OBJECT (object)' failed
> Dec 03 14:35:08 krowka polkitd[21432]: polkit_authorization_result_get_details: assertion 'POLKIT_IS_AUTHORIZATION_RESULT (result)' failed
> Dec 03 14:35:08 krowka polkitd[21432]: polkit_authorization_result_get_is_challenge: assertion 'POLKIT_IS_AUTHORIZATION_RESULT (result)' failed
> Dec 03 14:35:08 krowka polkitd[21432]: polkit_authorization_result_get_is_authorized: assertion 'POLKIT_IS_AUTHORIZATION_RESULT (result)' failed
> Dec 03 14:35:08 krowka polkitd[21432]: g_object_unref: assertion 'G_IS_OBJECT (object)' failed
> Dec 03 14:35:08 krowka polkitd[21432]: g_object_unref: assertion 'G_IS_OBJECT (object)' failed
Regards,
Salvatore
Powered by blists - more mailing lists
Please check out the
Open Source Software Security Wiki, which is counterpart to this
mailing list.
Confused about mailing lists and their use?
Read about mailing lists on Wikipedia
and check out these
guidelines on proper formatting of your messages.
