U-Qualys uhlonze ukuba sengozini (CVE-2021-4034) engxenyeni yesistimu ye-Polkit (owayekade eyi-PolicyKit) esetshenziswa ekusabalaliseni ukuze kuvunyelwe abasebenzisi abangenamalungelo ukuthi benze izenzo ezidinga amalungelo okufinyelela aphakeme. Ukuba sengozini kuvumela umsebenzisi wasendaweni ongenamalungelo ukuthi akhuphule amalungelo akhe ukuze aqede futhi athole ukulawula okugcwele kwesistimu. Inkinga ibibhalwe ngekhodi i-PwnKit futhi iphawuleka ngokukhiqiza ukuxhashazwa okusebenzayo okusebenza ekucushweni okuzenzakalelayo kokusatshalaliswa okuningi kwe-Linux.
Inkinga ikhona kunsizakalo ye-PolKit's pkexec, eza nefulegi lempande ye-SUID futhi yakhelwe ukusebenzisa imiyalo ngezimvume zomunye umsebenzisi ngokuya ngemithetho eshiwo ye-PolKit. Ngenxa yokuphathwa okungalungile kwama-agumenti omugqa womyalo adluliselwe ku-pkexec, umsebenzisi ongenalungelo angakwazi ukweqa ukufakazela ubuqiniso futhi asebenzise ikhodi yakhe njengempande, kungakhathaliseki ukuthi imithetho yokufinyelela emisiwe. Ngokuhlaselwa, akunandaba ukuthi yiziphi izilungiselelo nemikhawulo eshiwo ku-PolKit, kwanele ukuthi isibaluli sempande ye-SUID sisethelwe ifayela elisebenzisekayo ngesisetshenziswa se-pkexec.
I-Pkexec ayihloli ukufaneleka kokubala kwempikiswano yomugqa womyalo (argc) ephasiswe lapho kuqala inqubo. Abathuthukisi be-pkexec bacabange ukuthi ukufakwa kokuqala ohlwini lwe-argv kuhlala kuqukethe igama lenqubo (pkexec), kanti okwesibili kungaba inani elingu-NULL noma igama lomyalo oqaliswe nge-pkexec. Njengoba isibalo sokungqubuzana singazange sihlolwe ngokumelene nokuqukethwe kwangempela kwamalungu afanayo futhi kwacatshangwa ukuthi ngaso sonke isikhathi sikhulu kuno-1, uma inqubo idluliselwe ohlwini lwe-arvv olungenalutho, njengoba umsebenzi we-Linux execve uvumela, i-pkexec izophatha okuthi NULL njengengxabano yokuqala ( igama lenqubo) nelandelayo njengangaphandle kwememori yesigcinalwazi, njengokuqukethwe okulandelayo kwamalungu afanayo. |———+———+——+——————————————————————| | argv[0] | argv[1] | ... | argv[argc] | envp[0] | envp[1] | ... | envp[envc] | |—-|—-+—-|—-+——+——|———|—-|—-+—-|—-+———+—————— VVVVVV "program" "-option" NULL "value" "PATH=name" NULL
Inkinga ukuthi ngemva kohlu lwe-argv kukhona uhlu lwe-envp kumemori oluqukethe okuguquguqukayo kwemvelo. Ngakho-ke, uma uhlu lwe-argv lungenalutho, i-pkexec ikhipha idatha mayelana nomyalo ogijima ngamalungelo aphakeme kusukela kusici sokuqala samalungu afanayo nokuguquguquka kwemvelo (argv[1] ifane ne-envp[0]), okuqukethwe kwayo okungalawulwa. ngomhlaseli.
Ngemva kokuthola inani le-argv[1], i-pkexec izama, icabangela izindlela zefayela ku-PATH, ukuze inqume indlela egcwele eya efayeleni elisebenzisekayo futhi ibhala isikhombisi ochungechungeni olugcwele indlela ebuyela emuva ku-argv[1], kuholela ekubhaleni phezu kwevelu yokuguquguquka kwemvelo kokuqala, njengoba i-arv[1] ifana ne-envp[0]. Ngokukhohlisa igama lokuguquguquka kwemvelo kokuqala, umhlaseli angashintsha enye indawo eguquguqukayo ku-pkexec, isibonelo, amiselele i-“LD_PRELOAD” eguquguqukayo yemvelo, engavunyelwe ezinhlelweni ze-suid, futhi ahlele ukuthi ilabhulali yabo eyabiwe ukuthi ilayishwe inqubo.
Inzuzo yokusebenza ihilela ukufaka esikhundleni sokuhluka kwe-GCONV_PATH, okusetshenziselwa ukunquma indlela eya kulabhulali yokudlulisela ikhodi, elayishwa ngamandla lapho kubizwa umsebenzi we-g_printerr(), ikhodi esebenzisa i-iconv_open(). Ngokuchaza kabusha indlela ku-GCONV_PATH, umhlaseli angaqinisekisa ukuthi akuyona ilabhulali ye-iconv evamile elayishiwe, kodwa ilabhulali yayo, izibambi ezizosetshenziswa lapho umlayezo wephutha uboniswa esiteji lapho i-pkexec isasebenza nayo. amalungelo ezimpande futhi ngaphambi kokuqalisa izimvume ziyahlolwa.
Kuyaphawulwa ukuthi naphezu kokuthi inkinga ibangelwa ukonakala kwenkumbulo, ingasetshenziswa ngokuthembekile futhi ngokuphindaphindiwe kungakhathaliseki ukuthi i-architecture ye-hardware esetshenzisiwe. Ukuxhashazwa okulungisiwe kuhlolwe ngempumelelo ku-Ubuntu, i-Debian, i-Fedora ne-CentOS, kodwa futhi ingasetshenziswa kokunye ukusatshalaliswa. Ukuxhashazwa kwangempela akukakatholakali esidlangalaleni, okubonisa ukuthi kuyinto encane futhi ingaphinda yenziwe kalula ngabanye abacwaningi, ngakho-ke kubalulekile ukufaka isibuyekezo sesichibi ngokushesha ngangokunokwenzeka kumasistimu wabasebenzisi abaningi. I-Polkit iyatholakala futhi kumasistimu e-BSD kanye ne-Solaris, kodwa ayizange ifundwe ukuze isetshenziswe kuzo. Okwaziwayo ukuthi ukuhlasela akukwazi ukwenziwa ku-OpenBSD, njengoba i-OpenBSD kernel ingavumeli inani le-null argc ukuthi lidlulwe lapho kubizwa i-execve().
Inkinga ibilokhu ikhona kusukela ngoMeyi 2009, kusukela kwengezwe umyalo we-pkexec. Ukulungiswa kokuba sengozini kwe-PolKit okwamanje kuyatholakala njengepheshi (akukho ukukhishwa kwepeshi okukhishiwe), kodwa njengoba onjiniyela bokusabalalisa baziswe ngenkinga kusengaphambili, ukusabalalisa okuningi kushicilele isibuyekezo ngesikhathi esisodwa nokudalulwa kolwazi olumayelana nokuba sengozini. Inkinga ilungiswe ku-RHEL 6/7/8, Debian, Ubuntu, openSUSE, SUSE, Fedora, ALT Linux, ROSA, Gentoo, Void Linux, Arch Linux kanye neManjaro. Njengesinyathelo sesikhashana sokuvimba ukuba sengozini, ungasusa ifulegi lempande ye-SUID kuhlelo /usr/bin/pkexec (“chmod 0755 /usr/bin/pkexec”).
Source: opennet.ru