Qualys wazindikira chiwopsezo (CVE-2021-4034) mu gawo la Polkit (lomwe kale linali PolicyKit) lomwe limagwiritsidwa ntchito pogawa kuti alole ogwiritsa ntchito opanda mwayi kuchita zinthu zomwe zimafuna ufulu wofikira. Kusatetezeka kumalola wogwiritsa ntchito wamba wopanda mwayi kukulitsa mwayi wawo kuti akhazikitse ndikuwongolera dongosolo lonse. Vutoli linali la codenamed PwnKit ndipo ndilodziwika popanga ntchito yomwe imayenda mokhazikika pamagawidwe ambiri a Linux.
Vuto likupezeka muzothandizira za PolKit's pkexec, zomwe zimabwera ndi mbendera ya SUID ndipo zidapangidwa kuti ziziyendetsa malamulo ndi mwayi wa wogwiritsa ntchito wina molingana ndi malamulo a PolKit. Chifukwa cha kusamalidwa kolakwika kwa mikangano ya mzere wamalamulo woperekedwa ku pkexec, wogwiritsa ntchito wopanda mwayi amatha kulambalala kutsimikizika ndikuyendetsa khodi yawo ngati mizu, mosasamala kanthu za malamulo ofikira omwe akhazikitsidwa. Pachiwopsezo, zilibe kanthu kuti makonda ndi zoletsa ziti zomwe zafotokozedwa mu PolKit, ndizokwanira kuti mizu ya SUID imayikidwa pa fayilo yomwe ingagwiritsidwe ntchito ndi pkexec.
Pkexec siyang'ana kutsimikizika kwa chiwerengero cha mzere wa lamulo (argc) wodutsa poyambitsa ndondomeko. Opanga pkexec amaganiza kuti kulowa koyamba mu argv array nthawi zonse kumakhala ndi dzina la ndondomeko (pkexec), ndipo chachiwiri mwina mtengo wa NULL kapena dzina la lamulo lomwe linayambitsidwa kudzera pa pkexec. Popeza kuti chiwerengero cha mkangano sichinayang'anitsidwe motsutsana ndi zomwe zili m'gululo ndipo zinkaganiziridwa kuti nthawi zonse zimakhala zazikulu kuposa 1, ngati ndondomeko idaperekedwa opanda kanthu argv array, monga ntchito ya Linux execve imalola, pkexec angatenge NULL monga mtsutso woyamba. dzina la ndondomeko) ndi lotsatira ngati kunja kwa buffer memory, monga zomwe zili mundandanda. |————+———+——+——————————————————————| | | argv[0] | argv[1] | ... | argv[argc] | envp[0] | envp[1] | ... | envp[envc] | |—-|—-+—-|—-+——+——|———|—-|—-+—-|—-+———+——————| VVVVVV "program" "-option" NULL "mtengo" "PATH=name" NULL
Vuto ndiloti pambuyo pa argv array pali envp array mu kukumbukira zomwe zili ndi zosintha zachilengedwe. Chifukwa chake, ngati argv array ilibe kanthu, pkexec imatulutsa deta yokhudzana ndi lamulo loyendetsedwa ndi mwayi wapamwamba kuchokera ku gawo loyamba la gulu lokhala ndi zosintha zachilengedwe (argv[1] zidakhala zofanana ndi envp[0]), zomwe zili mkati mwake zitha kuwongoleredwa. ndi wowukira.
Atalandira mtengo wa argv[1], pkexec amayesa, poganizira njira zamafayilo mu PATH, kuti adziwe njira yonse yopita ku fayilo yotheka ndikulemba cholozera ku chingwe ndi njira yonse yobwerera ku argv[1], yomwe kumabweretsa kukonzanso mtengo wa kusintha kwa chilengedwe, popeza argv[1] ndi yofanana ndi envp[0]. Pogwiritsa ntchito dzina la kusintha koyambirira kwa chilengedwe, wowukira akhoza kulowetsamo kusintha kwina kwa chilengedwe mu pkexec, mwachitsanzo, m'malo mwa "LD_PRELOAD" kusintha kwa chilengedwe, komwe sikuloledwa mu mapulogalamu a suid, ndikukonzekera kuti laibulale yawo yogawidwa ilowe mu ndondomeko.
Kugwiritsa ntchito kumaphatikizapo kulowetsa GCONV_PATH kusinthika, komwe kumagwiritsidwa ntchito kudziwa njira yopita ku laibulale ya transcoding laibulale, yodzaza mwamphamvu poyitana g_printerr() ntchito, code yomwe imagwiritsa ntchito iconv_open(). Pofotokozanso njira mu GCONV_PATH, wowukirayo angatsimikizire kuti si library yanthawi zonse ya iconv yomwe yakwezedwa, koma laibulale yake yomwe, omwe amawathandizira adzaperekedwa pomwe uthenga wolakwika ukuwonetsedwa pagawo pomwe pkexec ikugwirabe ntchito. ufulu wa mizu ndi zilolezo zisanayambike zimafufuzidwa.
Zimadziwika kuti ngakhale kuti vutoli limayambitsidwa ndi kuwonongeka kwa kukumbukira, likhoza kugwiritsidwa ntchito modalirika komanso mobwerezabwereza mosasamala kanthu za zomangamanga zomwe zimagwiritsidwa ntchito. Kugwiritsa ntchito kokonzekera kwayesedwa bwino pa Ubuntu, Debian, Fedora ndi CentOS, koma kungagwiritsidwenso ntchito pazogawa zina. Kugwiritsiridwa ntchito koyambirira sikunapezeke poyera, kusonyeza kuti ndizochepa ndipo zingathe kupangidwanso mosavuta ndi ofufuza ena, kotero ndikofunikira kukhazikitsa ndondomeko yachigamba mwamsanga pa machitidwe ogwiritsira ntchito ambiri. Polkit imapezekanso pamakina a BSD ndi Solaris, koma sinaphunziridwe kuti igwiritsidwe ntchito pa iwo. Chomwe chimadziwika ndikuti kuwukirako sikungachitike pa OpenBSD, popeza kernel ya OpenBSD siyilola kuti mtengo wa argc udutsidwe pomwe execve () imatchedwa.
Vutoli lilipo kuyambira Meyi 2009, kuyambira pakuwonjezeredwa kwa lamulo la pkexec. Kukonzekera kwa chiwopsezo cha PolKit kukupezeka ngati chigamba (palibe chigamba chomwe chatulutsidwa), koma popeza opanga zogawa adadziwitsidwa za vutoli pasadakhale, zogawa zambiri zidasindikiza zosintha nthawi imodzi ndikuwululira zambiri za kusatetezeka. Nkhaniyi yakhazikitsidwa mu RHEL 6/7/8, Debian, Ubuntu, openSUSE, SUSE, Fedora, ALT Linux, ROSA, Gentoo, Void Linux, Arch Linux ndi Manjaro. Monga muyeso kwakanthawi kuti mutseke chiwopsezo, mutha kuchotsa mbendera ya SUID pa /usr/bin/pkexec pulogalamu ("chmod 0755 /usr/bin/pkexec").
Source: opennet.ru