News
Vigil@nce: PolicyKit, privilege elevation via pkexec
April 2011 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/
SYNTHESIS OF THE VULNERABILITY
A local attacker can use pkexec, in order to execute code with root privileges.
Severity: 2/4
Creation date: 20/04/2011
IMPACTED PRODUCTS
Red Hat Enterprise Linux
Slackware Linux
Unix - plateform
DESCRIPTION OF THE VULNERABILITY
The PolicyKit suite provides the pkexec utility which is used to exec a command with an uid (user id) different from the uid of the current user.
The pkexec determines the uid of the process which called it, in order to know the uid of the pkexec user. However, if this process used exec() to be replaced by a suid root process, pkexec obtains the uid zero, and deduce that root called pkexec. Security measures are then bypassed.
A local attacker can therefore use pkexec, in order to execute code with root privileges.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
