policykit or policykit-gnome do not work with passwords containing "%" character

Bug #205037 reported by Boris Erdmann
270
Affects Status Importance Assigned to Milestone
PolicyKit
Fix Released
Critical
policykit (PLD Linux)
High
Patryk Zawadzki
policykit (Ubuntu)
High
Kees Cook

Bug Description

If you have a "%" character in your password you cannot unlock any application

/var/log/auth.log shows:

Mar 22 01:33:30 lorbas-laptop polkit-grant-helper-pam[7252]: pam_unix(polkit:auth): authentication failure; logname= uid=1000 euid=0 tty= ruser=lorbas rhost= user=lorbas
Mar 22 01:33:39 lorbas-laptop polkit-grant-helper-pam[7260]: pam_unix(polkit:auth): conversation failed
Mar 22 01:33:39 lorbas-laptop polkit-grant-helper-pam[7260]: pam_unix(polkit:auth): auth could not identify password for [lorbas]

I check "security vulnerability" because I think that the % character might trigger an evaluation of %s, like in sprintf for example

Related branches

CVE References

Martin Pitt (pitti)
Changed in policykit:
assignee: nobody → pitti
importance: Undecided → Critical
status: New → In Progress
Revision history for this message
Martin Pitt (pitti) wrote :

Hm, I tried to change my password to "foo%bar", and was able to authenticate with it. When I mistype the password, I get auth.log entries similar to your's.

So I cannot reproduce this bug. Can you please do

  POLKIT_DEBUG=1 users-admin 2>&1|tee /tmp/debug.log

then try to authenticate, and after that, send me /tmp/debug.log?

Changed in policykit:
importance: Critical → Medium
status: In Progress → Incomplete
Revision history for this message
Christoph Langner (chrissss) wrote :

I can't reproduce this error either. Using Hardy Beta1.

Revision history for this message
Ralf Schulze (ralf-schulze) wrote :

I can confirm this bug. For example a password like 'abcd%efgh' does not work. 'foo%bar' is working, so it seems to be a combination of '%' and some other condition I was not able to figure out.

debug.log is attached.

Changed in policykit:
status: Incomplete → Confirmed
Martin Pitt (pitti)
Changed in policykit:
importance: Medium → High
status: Confirmed → In Progress
Revision history for this message
Ralf Schulze (ralf-schulze) wrote :

O.K. It really seems to be an interference with sprintf's conversion specifiers. 'foo%bar" is working because there is no '%b' specifier. 'foo%xbar', foo%ebar', 'foo%fbar', etc. are not working, because these are conversion specifiers.

This means it is almost certainly exploitable somehow.

Revision history for this message
In , Kees Cook (kees) wrote :

If a user types a carefully crafted series of format strings, they can trick polkit-grant-helper into thinking the password was successful.

https://launchpad.net/bugs/205037

src/polkit-grant/polkit-grant-helper.c line 231:

                /* send to parent */
                fprintf (stdout, buf);

This should be fprintf(stdout, "%s", buf);

I also recommend adding "-Wformat -Wformat-security" to the gcc CFLAGS.

Revision history for this message
In , Kees Cook (kees) wrote :

$ grep 'format not a string literal' /scratch/ubuntu/logs/policykit_0.7-2ubuntu6_20080331-1621
polkit-policy-cache.c:150: warning: format not a string literal and no format arguments
polkit-grant-helper.c:231: warning: format not a string literal and no format arguments
polkit-grant-helper.c:242: warning: format not a string literal and no format arguments

There appear to be other cases of this too.

Revision history for this message
In , Kees Cook (kees) wrote :

Created an attachment (id=15591)
fixes for format string vulnerabilities

Revision history for this message
Kees Cook (kees) wrote : Re: policykit or policykit-gome do not work with passwords containing "%" character

src/polkit-grant/polkit-grant-helper.c line 231:

                /* send to parent */
                fprintf (stdout, buf);

This should be fprintf(stdout, "%s", buf);

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package policykit - 0.7-2ubuntu6

---------------
policykit (0.7-2ubuntu6) hardy; urgency=low

  * Add 10_format-string-security.patch: fix format strings (LP: #205037).

 -- Kees Cook <email address hidden> Mon, 31 Mar 2008 16:06:38 -0700

Changed in policykit:
status: In Progress → Fix Released
Revision history for this message
Kees Cook (kees) wrote :
Kees Cook (kees)
Changed in policykit:
assignee: pitti → keescook
Changed in policykit:
status: Unknown → Confirmed
Revision history for this message
In , Kees Cook (kees) wrote :

CVE-2008-1658

Revision history for this message
Kees Cook (kees) wrote :

CVE-2008-1658

Revision history for this message
In , Zeuthen (zeuthen) wrote :

Hi,

Thanks for noticing this. I've committed this to HEAD

http://gitweb.freedesktop.org/?p=PolicyKit.git;a=commitdiff;h=5bc86a14cc0e356bcf8b5f861674f842869b1be7

with one change: the hunk in src/polkit/polkit-policy-cache.c didn't apply and isn't needed anymore.

Revision history for this message
In , Zeuthen (zeuthen) wrote :

Created an attachment (id=15671)
Patch for 0.6

Had to backport this for Fedora 8 so sharing the patch against 0.6.

Changed in policykit:
status: Confirmed → Fix Released
Revision history for this message
Patryk Zawadzki (patrys) wrote :

Fixed in PolicyKit-0.7-3

Revision history for this message
Elan Ruusamäe (glen666) wrote :

PolicyKit-0.7-3.src.rpm.info pushed to th-main

Changed in policykit:
importance: Unknown → Critical
Changed in policykit:
importance: Critical → Unknown
Changed in policykit:
importance: Unknown → Critical
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Duplicates of this bug

Other bug subscribers

Bug attachments

Remote bug watches

Bug watches keep track of this bug in other bug trackers.