Ubuntu
policykit-1 package

pkexec information disclosure vulnerability

Bug #532852 reported by Dan Rosenberg
264
This bug affects 1 person
Affects Status Importance Assigned to Milestone
PolicyKit
Fix Released
Medium
policykit-1 (Ubuntu)
Fix Released
Low
Unassigned
Ubuntu ubuntu-10.04
Hardy
Invalid
Undecided
Unassigned
Intrepid
Invalid
Undecided
Unassigned
Jaunty
Invalid
Undecided
Unassigned
Karmic
Won't Fix
Low
Unassigned
Lucid
Fix Released
Low
Unassigned
Ubuntu ubuntu-10.04

Bug Description

Binary package hint: policykit-1

pkexec is vulnerable to a minor information disclosure vulnerability that allows an attacker to verify whether or not arbitrary files exist, violating directory permissions. I reproduced the issue on my Karmic installation as follows:

$ mkdir secret
$ sudo chown root:root secret
$ sudo chmod 400 secret
$ sudo touch secret/hidden
$ pkexec /home/drosenbe/secret/hidden
(password prompt)
$ pkexec /home/drosenbe/secret/doesnotexist
Error getting information about /home/drosenbe/secret/doesnotexist: No such file or directory

I've attached a simple patch that resolves the issue by using access() to check whether or not the user has permission to verify the existence of the file before calling stat() on it.

CVE References

Revision history for this message
Dan Rosenberg (dan-j-rosenberg) wrote :
Revision history for this message
Dan Rosenberg (dan-j-rosenberg) wrote :

Come to think of it, please ignore that patch. A determined attacker could exploit the race condition between the access() and stat() calls. I'll revisit this and produce a better patch within the next couple of days.

Revision history for this message
Kees Cook (kees) wrote :

As this is a relatively minor information disclosure, do you mind me making this report public?

Kees Cook (kees)
visibility: private → public
Changed in policykit-1 (Ubuntu):
status: New → Confirmed
importance: Undecided → Low
Brian Murray (brian-murray)
tags: added: patch
Revision history for this message
In , Dan Rosenberg (dan-j-rosenberg) wrote :

Created an attachment (id=33901)
Patch for pkexec info disclosure

pkexec is vulnerable to a minor information disclosure vulnerability that allows an attacker to verify whether or not arbitrary files exist, violating directory permissions. I reproduced the issue on my Karmic installation as follows:

$ mkdir secret
$ sudo chown root:root secret
$ sudo chmod 400 secret
$ sudo touch secret/hidden
$ pkexec /home/drosenbe/secret/hidden
(password prompt)
$ pkexec /home/drosenbe/secret/doesnotexist
Error getting information about /home/drosenbe/secret/doesnotexist: No such file or directory

I've attached my patch for the issue. I replaced the stat() call entirely with access() using F_OK, so rather than check that the target exists, pkexec now checks if the user has permission to verify the existence of the program. There might be another way of doing this, such as chdir()'ing to the parent directory of the target and calling lstat(), but this seemed like more code than necessary to prevent such a minor problem. I see no reason to allow pkexec to execute targets that are not accessible to the executing user because of directory permissions. This is such a limited use case anyway that this doesn't really affect functionality.

Revision history for this message
Dan Rosenberg (dan-j-rosenberg) wrote :

New patch added. I see no reason to allow pkexec to execute targets that are not accessible to the executing user because of directory permissions. This is such a limited use case anyway that this doesn't really affect functionality.

I replaced the stat() call entirely with access() using F_OK, so rather than check that the target exists, pkexec now checks if the user has permission to verify the existence of the program. There might be another way of doing this, such as chdir()'ing to the parent directory of the target and calling lstat(), but this seemed like more code than necessary to prevent such a minor problem.

Revision history for this message
James Westby (james-w) wrote :

Hi Dan,

Thanks for looking at this. It would be great if you could take this issue
to the developers of the software at

  https://bugs.freedesktop.org/

and discuss the patch with them.

I would be happy to do this for you, but it would be much more efficient for
you to do it.

Thanks,

James

Revision history for this message
James Westby (james-w) wrote :

https://bugs.freedesktop.org/enter_bug.cgi?product=PolicyKit&short_desc=pkexec%20information%20disclosure%20vulnerability&long_desc=Originally%20reported%20at:%0A%20%20https://bugs.edge.launchpad.net/bugs/532852%0A%0ABinary%20package%20hint:%20policykit-1%0A%0Apkexec%20is%20vulnerable%20to%20a%20minor%20information%20disclosure%20vulnerability%20that%20allows%20an%20attacker%20to%20verify%20whether%20or%20not%20arbitrary%20files%20exist,%20violating%20directory%20permissions.%20%20I%20reproduced%20the%20issue%20on%20my%20Karmic%20installation%20as%20follows:%0A%0A$%20mkdir%20secret%0A$%20sudo%20chown%20root:root%20secret%0A$%20sudo%20chmod%20400%20secret%0A$%20sudo%20touch%20secret/hidden%0A$%20pkexec%20/home/drosenbe/secret/hidden%0A(password%20prompt)%0A$%20pkexec%20/home/drosenbe/secret/doesnotexist%0AError%20getting%20information%20about%20/home/drosenbe/secret/doesnotexist:%20No%20such%20file%20or%20directory%0A%0AI've%20attached%20a%20simple%20patch%20that%20resolves%20the%20issue%20by%20using%20access()%20to%20check%20whether%20or%20not%20the%20user%20has%20permission%20to%20verify%20the%20existence%20of%20the%20file%20before%20calling%20stat()%20on%20it.

is a URL that launchpad just suggested you use to file the bug
directly.

  http://tinyurl.com/yczgz4u

is the shorter version of that.

Thanks,

James

Revision history for this message
Dan Rosenberg (dan-j-rosenberg) wrote :

I filed a bug entry upstream, and included an updated version of the patch (only change was removing the now-unnecessary stat struct declaration):

https://bugs.freedesktop.org/show_bug.cgi?id=26982

Revision history for this message
James Westby (james-w) wrote : Re: [Bug 532852] Re: pkexec information disclosure vulnerability

On Tue, 09 Mar 2010 19:21:13 -0000, Dan Rosenberg <email address hidden> wrote:
> I filed a bug entry upstream, and included an updated version of the
> patch (only change was removing the now-unnecessary stat struct
> declaration):

Thanks Dan.

James

Revision history for this message
In , Zeuthen (zeuthen) wrote :

Nice catch, committed.

http://cgit.freedesktop.org/PolicyKit/commit/?id=14bdfd816512a82b1ad258fa143ae5faa945df8a

Thanks.

Revision history for this message
Dan Rosenberg (dan-j-rosenberg) wrote :

The fix has been signed off and committed upstream:

http://cgit.freedesktop.org/PolicyKit/commit/?id=14bdfd816512a82b1ad258fa143ae5faa945df8a

Kees, do issues this minor typically get CVE's? Your call.

Nigel Babu (nigelbabu)
tags: added: patch-accepted-upstream
removed: patch
Revision history for this message
Kees Cook (kees) wrote :

I'll leave it up to oss-security about getting a CVE assigned. Emailing them now.

Kees Cook (kees)
Changed in policykit-1 (Ubuntu Karmic):
status: New → Confirmed
Changed in policykit-1 (Ubuntu Lucid):
milestone: none → ubuntu-10.04
Changed in policykit-1 (Ubuntu Intrepid):
status: New → Confirmed
Changed in policykit-1 (Ubuntu Hardy):
status: New → Confirmed
Changed in policykit-1 (Ubuntu Jaunty):
status: New → Confirmed
Revision history for this message
Dan Rosenberg (dan-j-rosenberg) wrote :

CVE-2010-0750

Revision history for this message
Nigel Babu (nigelbabu) wrote :

This bug wasn't closed from changelog, so I'll just manually close it here

policykit-1 (0.96-2) unstable; urgency=medium

  * Urgency medium, just two small, but important bug fixes.
  * Add 00git-pkexec-information-disclosure.patch: Fix information disclosure
    vulnerability that allows an attacker to verify whether or not arbitrary
    files exist, violating directory permissions.
  * 00git-fix-error-freeing.patch: Fix crash when calling CheckAuthorization()
    with an invalid PID. (LP: #540464)

 -- Martin Pitt <email address hidden> Fri, 09 Apr 2010 12:09:53 +0200

Changed in policykit-1 (Ubuntu Lucid):
status: Confirmed → Fix Released
Revision history for this message
Martin Pitt (pitti) wrote :

policykit-1 was introduced in Karmic, closing the tasks for earlier releases.

Changed in policykit-1 (Ubuntu Hardy):
status: Confirmed → Invalid
Changed in policykit-1 (Ubuntu Intrepid):
status: Confirmed → Invalid
Changed in policykit-1 (Ubuntu Karmic):
status: Confirmed → Triaged
Changed in policykit-1 (Ubuntu Jaunty):
status: Confirmed → Invalid
Revision history for this message
Martin Pitt (pitti) wrote :

Security team,

the upstream fix is straightforward enough. Do you need me to prepare a debdiff, or do you want to apply/upload this yourself?

Steve Beattie (sbeattie)
Changed in policykit:
importance: Undecided → Unknown
status: New → Unknown
Changed in policykit-1 (Ubuntu Karmic):
importance: Undecided → Low
Bug Watch Updater (bug-watch-updater)
Changed in policykit:
importance: Unknown → Medium
status: Unknown → Fix Released
Bug Watch Updater (bug-watch-updater)
Changed in policykit:
importance: Medium → Unknown
Bug Watch Updater (bug-watch-updater)
Changed in policykit:
importance: Unknown → Medium
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thank you for reporting this bug to Ubuntu. karmic has reached EOL
(End of Life) and is no longer supported. As a result, this bug
against karmic is being marked "Won't Fix". Please see
https://wiki.ubuntu.com/Releases for currently supported Ubuntu
releases.

Please feel free to report any other bugs you may find.

Changed in policykit-1 (Ubuntu Karmic):
status: Triaged → Won't Fix
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Bug attachments

Remote bug watches

Bug watches keep track of this bug in other bug trackers.