- #Daemon tools linux ubuntu download install
- #Daemon tools linux ubuntu download software
- #Daemon tools linux ubuntu download password
They’re just polkit clients that happen to be convenient vectors for exploitation. Of course, the vulnerability doesn’t have anything specifically to do with either accountsservice or gnome-control-center.
#Daemon tools linux ubuntu download install
But if you’re using something like a non-graphical RHEL server, then you might need to install them, like this: sudo yum install accountsservice gnome-control-center On a graphical system such as Ubuntu Desktop, both of those packages are usually installed by default. The proof of concept (PoC) exploit I describe in this section depends on two packages being installed: accountsservice and gnome-control-center. All it takes is a few commands in the terminal using only standard tools like bash, kill, and dbus-send. The vulnerability is surprisingly easy to exploit. That’s because, unlike pkexec, dbus-send does not start its own authentication agent. If you run that command in a graphical session, an authentication dialog box will pop up, but if you run it in a text-mode session such as SSH, then it fails immediately. For example, this is the command to create a new user: dbus-send -system -dest= -type=method_call -print-reply /org/freedesktop/Accounts string:boris string:"Boris Ivanovich Grishenko" int32:1 It can be used to simulate the D-Bus messages that the graphical interface might send. It’s a general purpose tool for sending D-Bus messages that’s mainly used for testing, but it’s usually installed by default on systems that use D-Bus. = AUTHENTICATING FOR =Īuthentication is needed to run `/usr/sbin/reboot' as the super userĪuthenticating as: Kevin Backhouse, (kev)Īnother command that you can use to trigger polkit from the command line is dbus-send. If you run pkexec in a graphical session, it will pop up a dialog box, but if you run it in a text-mode session such as SSH then it starts its own text-mode authentication agent: $ pkexec reboot Pkexec is a similar command to sudo, which enables you to run a command as root. To illustrate that polkit isn’t just for graphical sessions, try running this command in a terminal: pkexec reboot
#Daemon tools linux ubuntu download password
The dialog box is known as an authentication agent and it’s really just a mechanism for sending your password to polkit. The dialog box might give the impression that polkit is a graphical system, but it’s actually a background process. For some requests, polkit will make an instant decision to allow or deny, and for others it will pop up a dialog box so that an administrator can grant authorization by entering their password. If you want to do something that requires higher privileges-for example, creating a new user account-then it’s polkit’s job to decide whether or not you’re allowed to do it. It essentially plays the role of a judge. Polkit is the system service that’s running under the hood when you see a dialog box like the one below: Here’s a table with a selection of popular distributions and whether they’re vulnerable (note that this isn’t a comprehensive list): However, some Debian derivatives, such as Ubuntu, are based on Debian unstable, which is vulnerable. The most recent stable release of Debian, Debian 10 (“buster”), uses version 0.105-25, which means that it isn’t vulnerable. In the Debian fork, the bug was introduced in commit f81d021 and first shipped with version 0.105-26. The bug has a slightly different history on Debian and its derivatives (such as Ubuntu), because Debian uses a fork of polkit with a different version numbering scheme. However, many of the most popular Linux distributions didn’t ship the vulnerable version until more recently. It was introduced seven years ago in commit bfa5036 and first shipped with polkit version 0.113. History of CVE-2021-3560 and vulnerable distributions
It’s easy to exploit with a few standard command line tools, as you can see in this short video.
The vulnerability enables an unprivileged local user to get a root shell on the system. It was publicly disclosed, the fix was released on June 3, 2021, and it was assigned CVE-2021-3560.
I coordinated the disclosure of the vulnerability with the polkit maintainers and with Red Hat’s security team. A few weeks ago, I found a privilege escalation vulnerability in polkit.
#Daemon tools linux ubuntu download software
As a member of GitHub Security Lab, my job is to help improve the security of open source software by finding and reporting vulnerabilities. It’s used by systemd, so any Linux distribution that uses systemd also uses polkit. Polkit is a system service installed by default on many Linux distributions.