Security Week 24: Escalating Privileges on Linux
Polkit service is responsible for authorizing the user, he checks the presence of the necessary rights to execute the command, and in the graphical interface his work is usually limited to a window asking for a password. It is used by the systemd system software; polkit can also be invoked via the command line. The vulnerability is exploited through a simple set of commands. If, at a good moment, “kill” the process with a request to create a new user, an error in the polkit code will lead not only to create a new user, but also to add him to the sudo group.
Then everything is simple: we create a password for the user (we do not have the right to do this yet, but we are using the vulnerability again) and gain unlimited control over the system. The sequence of commands is described in Beckhouse’s article and shown in this video:
The problem lies in incorrect error handling when connection to a process that requires user rights verification is no longer available (hence the need to “kill” the process). Instead of dying, polkit processes the request as if it came from the superuser. The error got into the program code 7 years ago. Distributions such as Red Hat Enterprise Linux 8, Fedora 21, and Ubuntu 20.04 are affected. Since some assemblies use fork polkit, which the vulnerability sneaked into later, they are safe. This applies, in particular, to the stable version of Debian 10. On the CVSS v3 scale, the problem received a score of 7.8 points out of 10, a patch for a number of distributions is already available…
What else happened
Hijacking of large companies continues. Last week it became known about stealing game source codes and other information from EA. Later, the details of the hacking appeared: data edition Vice (see also translation in Habré), a private chat in Slack became the entry point to the corporate network. The hackers bought a token for access to it on the black market for $ 10, and then, through social engineering, penetrated directly into the local network.
Another leak occurred at Volkswagen last week: data from more than 3 million customers lay publicly available on the server of one of the contractors.
June patch set for Android closes several critical vulnerabilities allowing to gain control over a mobile device.
In Google Chrome browser shut down zero-day vulnerability. She worked with another bugalready in Windows. According to Google, this kit was being sold by one of the commercial brokers.
Another actively exploited vulnerability, closed in a fresh set of Microsoft patches, in detail describe Kaspersky Lab specialists.
Information stolen from developer CD Projekt Red in February got into the public domain…