Qualys yaona kusazvibata (CVE-2021-4034) muPolkit (yaimbova PolicyKit) system chikamu chinoshandiswa mukugovera kubvumira vashandisi vasina mukana kuita zviito zvinoda kodzero dzepamusoro dzekuwana. Kusagadzikana kunobvumira mushandisi wemuno asina rusarura kuti akwidzire maropafadzo avo kuti adzike uye awane kutonga kuzere kwehurongwa. Dambudziko racho raive codenamed PwnKit uye rinozivikanwa pakugadzira basa rekushandisa iro rinomhanya mukumisikidzwa kwemaitiro pane akawanda Linux kugovera.
Dambudziko riripo muPolKit's pkexec utility, iyo inouya neSUID mudzi wemureza uye yakagadzirirwa kumhanyisa mirairo neropafadzo dzemumwe mushandisi zvinoenderana neyakatsanangurwa PolKit mitemo. Nekuda kwekubata zvisirizvo kwemutsara wemirairo nharo dzakapfuudzwa kupkexec, mushandisi asina rusarura anogona kunzvenga chokwadi uye kumhanya kodhi yavo semudzi, zvisinei nemitemo yekuwana yakaiswa. Pakurwiswa, hazvina basa kuti ndezvipi marongero uye zvirambidzo zvinotsanangurwa muPolKit, zvakakwana kuti iyo SUID midzi hunhu inogadzirirwa iyo faira rinoitwa ne pkexec utility.
Pkexec haitarise huchokwadi hweiyo yekuraira mutsara nharo kuverenga (argc) yakapfuura paunotanga maitiro. Vagadziri ve pkexec vaifungidzira kuti yekutanga yekupinda mu argv array inogara ine zita rekuita (pkexec), uye yechipiri ingave NULL kukosha kana zita remurairo wakatangwa kuburikidza ne pkexec. Sezvo iyo nharo yekuverenga haina kutariswa maererano nezviri mukati chaimo uye yaifungidzirwa kuti inogara yakakura kupfuura 1, kana maitiro akapfuudzwa asina chinhu argv array, sezvo Linux execve function inobvumira, pkexec yaizobata NULL senharo yekutanga. iro zita rekuita) uye rinotevera sekunze kwebuffer memory, senge izvo zvinotevera zviri mukati meiyo array. |————+———+——+————————————————+—————| | argv[0] | argv[1] | ... | argv[argc] | envp[0] | envp[1] | ... | envp[envc] | |—-|—-+—-|—-+——+——|———|—-|—-+—-|—-+———+——————| VVVVVV "chirongwa" "-option" NULL "kukosha" "PATH=zita" NULL
Dambudziko nderekuti mushure meiyo argv array pane envp array mundangariro ine zvakatipoteredza zvinosiyana. Saka, kana argv array isina chinhu, pkexec inobvisa data pamusoro pemurairo unomhanya neropafadzo dzakakwirira kubva pachinhu chekutanga chegadziriro nemamiriro ezvinhu akasiyana-siyana (argv[1] yakafanana ne envp[0]), zviri mukati maro zvinogona kudzorwa. nemurwisi.
Mushure mekugamuchira kukosha kwe argv [1], pkexec inoedza, ichifunga nezvemafaira efaira mu PATH, kuona nzira yakazara yefaira rinoshandiswa uye inonyora chinongedzo kune tambo ine nzira yakazara yekudzokera ku argv[1], iyo. inotungamirira pakunyora kukosha kwekutanga kwemamiriro ezvinhu akasiyana, sezvo argv[1] yakafanana ne envp[0]. Nekushandisa zita reiyo yekutanga nharaunda shanduko, anorwisa anogona kutsiva imwe nharaunda shanduko mu pkexec, semuenzaniso, kutsiva iyo "LD_PRELOAD" nharaunda inoshanduka, isingabvumirwe muzvirongwa zvekuzviuraya, uye kuronga kuti raibhurari yavo yakagovaniswa itakurwe mu process.
Iko kushanda kwekushandisa kunosanganisira kutsiva iyo GCONV_PATH shanduko, iyo inoshandiswa kuona nzira inoenda kune chiratidzo transcoding raibhurari, inotakura zvine simba kana ichidaidza g_printerr () basa, iyo kodhi inoshandisa iconv_open (). Nekutsanangura patsva nzira muGCONV_PATH, munhu anorwisa anogona kuona kuti haisi iyo yakajairwa iconv raibhurari yakarongedzerwa, asi raibhurari yayo, iyo inobatika ichaitwa kana meseji yekukanganisa ichiratidzwa padanho apo pkexec ichiri kushanda nayo. kodzero dzemidzi uye mvumo isati yatanga inotariswa.
Zvinocherechedzwa kuti kunyangwe hazvo dambudziko rinokonzerwa nehuori hwekurangarira, inogona kuvimbika uye inodzokororwa kushandiswa zvisinei neiyo hardware architecture inoshandiswa. Iko kushandiswa kwakagadzirirwa kwakaedzwa zvakabudirira paUbuntu, Debian, Fedora uye CentOS, asi inogona kushandiswawo pane kumwe kugoverwa. Iko kushandiswa kwepakutanga hakusati kwave kuwanikwa pachena, zvichiratidza kuti hazvina maturo uye zvinogona kugadzirwa zvakare nevamwe vatsvakurudzi, saka zvakakosha kuisa chigamba chekugadzirisa nokukurumidza sezvinobvira pane-multi-user systems. Polkit inowanikwawo kune BSD masisitimu uye Solaris, asi haina kudzidzwa kuti ishandiswe pazviri. Izvo zvinozivikanwa ndezvekuti kurwiswa hakugone kuitwa paOpenBSD, sezvo OpenBSD kernel isingatenderi null argc kukosha kupfuudzwa kana execve () ichidanwa.
Dambudziko rave riripo kubva muna Chivabvu 2009, kubva pakuwedzera kweiyo pkexec command. Kugadziriswa kwekusagadzikana kwePolKit ikozvino kunowanikwa sechigamba (hapana chigamba kuburitswa chaburitswa), asi sezvo vagadziri vekugovera vakaziviswa nezvedambudziko pachine nguva, kugovera kwakawanda kwakaburitsa iyo update panguva imwe chete nekuburitswa kweruzivo nezve kusagadzikana. Nyaya yacho yakagadziriswa muRHEL 6/7/8, Debian, Ubuntu, openSUSE, SUSE, Fedora, ALT Linux, ROSA, Gentoo, Void Linux, Arch Linux uye Manjaro. Seye nhanho yenguva pfupi yekuvhara njodzi, unogona kubvisa iyo SUID mudzi mureza kubva ku /usr/bin/pkexec chirongwa ("chmod 0755 /usr/bin/pkexec").
Source: opennet.ru