I-Qualys ichonge ubuthathaka (CVE-2021-4034) kwi-Polkit (yangaphambili iPolicyKit) icandelo lenkqubo esetyenziselwa ukusasazwa ukuvumela abasebenzisi abangenanto ukuba benze izenzo ezifuna amalungelo okufikelela aphezulu. Ukuba sesichengeni kuvumela umsebenzisi wasekhaya ongenanto ukuba anyuse amalungelo akhe ukuze asuse kwaye afumane ulawulo olupheleleyo lwenkqubo. Ingxaki yayibizwa ngegama lekhowudi yePwnKit kwaye iphawuleka ekuveliseni umsebenzi osebenzayo osebenza kuqwalaselo olungagqibekanga kunikezelo oluninzi lweLinux.
Ingxaki ikhona kusetyenziso lwePkexec lwePolKit, oluza neengcambu zeflegi yeSUID kwaye iyilelwe ukuqhuba imiyalelo ngamalungelo omnye umsebenzisi ngokwemigaqo yePolKit echaziweyo. Ngenxa yokuphathwa okungalunganga kweengxoxo zelayini yomyalelo ezigqithiselwe kwi-pkexec, umsebenzisi ongenalungelo angabugqitha ungqinisiso kwaye aqhube ikhowudi yakhe njengengcambu, nokuba yeyiphi imigaqo yofikelelo ebekiweyo. Kuhlaselo, akukhathaliseki nokuba zeziphi izicwangciso nezithintelo ezikhankanyiweyo kwiPolKit, kwanele ukuba ingcambu ye-SUID yophawu loyelelwano lumiselwe ifayile ephunyezwayo nge pkexec eluncedo.
I-Pkexec ayijongi ukuba semthethweni kwesibalo sengxabano yomgca womyalelo (argc) egqithisiweyo xa kuqalwa inkqubo. Ababhekisi phambili be pkexec bacingela ukuba ungeno lokuqala kuluhlu lwe argv luhlala luqulathe igama lenkqubo (pkexec), kwaye okwesibini nokuba lixabiso leNULL okanye igama lomyalelo oqaliswe nge pkexec. Ukusukela ukuba umba wengxoxo awukhange ukhangelwe ngokuchasene nemixholo eyiyo yoluhlu kwaye yacingelwa ukuba isoloko ingaphezulu kwe-1, ukuba inkqubo ibigqithiselwe kuluhlu lwe argv olungenanto, njengoko umsebenzi wokuphumeza i Linux uvumela, i pkexec izakuphatha iNULL njengempikiswano yokuqala. igama lenkqubo) nelandelayo njengaphandle kwememori yesithinteli, njengemixholo elandelayo yoluhlu. |————+———+——+——————————————————————| | argv[0] | argv[1] | ... | argv[argc] | envp[0] | envp[1] | ... | envp[envc] | || VVVVVV "program" "-option" NULL "value" "PATH=name" NULL
Ingxaki kukuba emva koluhlu lwe-argv kukho uluhlu lweenvp kwimemori equlethe izinto eziguquguqukayo zemo engqongileyo. Ke, ukuba uluhlu lwe-argv alunanto, i-pkexec ikhupha idatha malunga nomyalelo oqhutywa ngamalungelo aphakamileyo ukusuka kwinto yokuqala yoluhlu olunezinto eziguquguqukayo zokusingqongileyo (argv[1] yafana ne-envp[0]), imixholo enokuthi ilawulwe. ngomhlaseli.
Emva kokufumana ixabiso le-argv[1], i-pkexec izama, ithathela ingqalelo iindlela zefayile kwi- PATH, ukumisela umendo opheleleyo kwifayile ephunyezwayo kwaye ibhala isalathisi kumtya kunye nendlela epheleleyo yokubuyela kwi-argv[1], ikhokelela ekubhaleni ngaphezulu ixabiso lemeko-bume eguquguqukayo yokuqala, kuba argv[1] ifana ne-envp[0]. Ngokuphatha igama lemo eguquguqukayo yokuqala, umhlaseli unokutshintsha enye indawo eguquguqukayo kwi-pkexec, umzekelo, endaweni ye-"LD_PRELOAD" eguquguqukayo, engavumelekanga kwiinkqubo ze-suid, kwaye alungiselele ukuba ilayibrari yabo ekwabelwana ngayo ilayishwe inkqubo.
Ukuxhaphaza okusebenzayo kubandakanya ukufaka endaweni iGCONV_PATH eguquguqukayo, esetyenziswa ukumisela indlela eya kwisimboli yogqithiso lweekhowudi kwilayibrari, elayishwe ngamandla xa ubiza g_printerr () umsebenzi, ikhowudi esebenzisa iconv_open(). Ngokuchaza kwakhona umendo kwi-GCONV_PATH, umhlaseli unokuqinisekisa ukuba ayililo ilayibrari ye-icv esemgangathweni elayishiweyo, kodwa ilayibrari yayo, abaphathi abaza kuphunyezwa xa umyalezo wemposiso uboniswa kwinqanaba xa i-pkexec isasebenza nayo. amalungelo engcambu naphambi kokuba iimvume zophehlelelo zikhangelwe.
Kuphawulwe ukuba nangona ingxaki ibangelwa ukonakala kwememori, inokuthembeka kwaye isetyenziswe ngokuphindaphindiweyo kungakhathaliseki ukuba i-architecture ye-hardware esetyenzisiweyo. Ukuxhaphazwa okulungiselelwe kuye kwavavanywa ngempumelelo kwi-Ubuntu, i-Debian, i-Fedora kunye ne-CentOS, kodwa ingasetyenziselwa kwezinye izabelo. I-exploit yasekuqaleni ayikafumaneki esidlangalaleni, ebonisa ukuba iyinto encinci kwaye inokuphinda yenziwe kwakhona ngabanye abaphandi, ngoko kubalulekile ukufakela uhlaziyo lwe-patch ngokukhawuleza kwiinkqubo zabasebenzisi abaninzi. I-Polkit ikwakhona kwiinkqubo ze-BSD kunye ne-Solaris, kodwa ayizange ifundwe ukuze isetyenziswe kuzo. Into eyaziwayo kukuba uhlaselo alunakuqhutywa kwi-OpenBSD, kuba i-OpenBSD kernel ayivumeli i-null argc ixabiso ukuba ligqithiswe xa execve() ibizwa.
Ingxaki ikhona ukususela ngoMeyi 2009, ukususela ngokongezwa komyalelo we-pkexec. Ukulungiswa kobuthathaka bePolKit okwangoku kufumaneka njenge patch (akukho kukhutshwa kwepetshi ekhutshiweyo), kodwa ekubeni abaphuhlisi bosasazo bazisiwe ngengxaki kwangaphambili, uninzi losasazo lupapashe uhlaziyo ngaxeshanye kunye nokubhengezwa kolwazi malunga nokuba sesichengeni. Umba ulungiswe kwi-RHEL 6/7/8, Debian, Ubuntu, openSUSE, SUSE, Fedora, ALT Linux, ROSA, Gentoo, Void Linux, Arch Linux kunye neManjaro. Njengomlinganiselo wexeshana wokuthintela ukuba sesichengeni, ungasusa iflegi yengcambu ye-SUID kwi/usr/bin/pkexec inkqubo (“chmod 0755 /usr/bin/pkexec”).
umthombo: opennet.ru