A new vulnerability CVE-2018-19788 has been discovered on Linux systems which effects on major Linux OS products including Red Hat, Debian, Ubuntu, and Cent OS. This vulnerability can be very easily exploited on Linux systems.
Vulnerability Summary: A low privilege user on most Linux systems with uid greater than 2147483647 automatically gets the system level privilege for issuing system level systemctl command.
A word about Polkit (formerly PolicyKit): Polkit is a component for controlling system-wide privileges in Unix-like operating systems. It provides an organized way for non-privileged processes to communicate with privileged ones. Polkit allows a level of control of centralized system policy.
Vulnerability Description: The flaw was found in PolicyKit (aka polkit) 0.115 that allows a user with a uid greater than INT_MAX to successfully execute any systemctl command. INT_MAX is the maximum value an integer variable can store which equals to 2147483647.
Here is a quick step-by-step PoC of exploiting the vulnerability.
My PoC Machine: I used my ubuntu machine (Ubuntu 18.04.1 LTS) for this purpose.
My PoC Summary:
1. I created a user called ‘gooduser’ with the system provided default uid
2. When logged in using ‘gooduser’, I am not allowed to run system-level command ‘systemctl’.
3. I then created another user called ‘baduser’ with uid 2147483648 (which is larger than Linux INT_MAX value).
4. When I logged in using ‘baduser’, I can easily run systemctl command to stop/start any service.
My Ubuntu kernel details:
Step-1: Create a good user named 'gooduser' with system default uid
Step-2: Check apache2 service status using systemctl command which shows it is not active.
Step-3: Login using user 'gooduser'
Step-4: Check the apache2 service and try to start it. It will not start due Access denied.
Step-5: Log off
Now let’s do the exploit.
Step-1: Create a bad user named 'baduser' with uid as 2147483648
Step-2: Check apache2 service status using systemctl command. Again, it is not active.
Step-3: Login using user 'baduser'
Step-4: Check the apache2 service and try to start it. Notice, it can be started without any issue.
Step-5: Exploited successfully. Now log off and verify the service status again.
Authored By - Magrabur Sofily
TCS Cyber Security Practice