From:
bobf.at.mrp3.dot.com@testing.local
https://www.theregister.com/2022/01/26/pwnkit_vulnerability_linuix/
"Linux vendors on Tuesday issued patches for a memory corruption
vulnerability in a component called polkit that allows an unprivileged logged-in user to gain full root access on a system in its default configuration."
A coding error that allows 'argc == 0' to create a vulnerability in
pkexec has very very very recently been patched in FreeBSD and several
Linux distros (more to come, no doubt).
In case anyone has any question, you can make this happen with the
following code:
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <errno.h>
extern char **environ;
int main(int argc, char *argv[])
{
char *arg[2]={NULL,NULL};
int i1;
i1 = execve("/path/to/the/application", arg, environ);
// in case it fails
printf("i1 is %d, errno is %d\n", i1, errno);
return 0;
}
I used this to test it and it ran with argc == 0
#include <stdio.h>
int main(int argc, char *argv[])
{
printf("argc = %d\n", argc);
return 0;
}
The point of showing this is not to allow some cracker to exploit with
it (you would need shell access and compiler capability to use it
anyway). The point is to GET PEOPLE TO PATCH any system that might be affected. And, it's worth pointing out the bug as something to NEVER
assume, that argc is always >=1
The bug is in pkexec.c where a loop looks for arguments, and then code
is executed where 'n == 1' - and it is supposed to be the next argument
after the switches, sorta like getopt mig