Mva nje Imigangatho wakhupha iindaba ukuba ichonge ukuba sesichengeni (I-CVE-2021-4034) en icandelo lenkqubo ipholiti (eyayisakuba yiPolicyKit), esetyenziswa ekuhanjisweni ukuvumela abasebenzisi abangafanelekanga ukuba benze izenzo ezifuna amalungelo okufikelela aphezulu.
Ukuba sesichengeni ivumela umsebenzisi wasekhaya ongenanto ukuphakamisa amalungelo abo kumsebenzisi wengcambu kwaye ufumane ulawulo olupheleleyo phezu kwenkqubo. Umba unekhowudi ebizwa ngokuba yiPwnKit kwaye iphawuleka ekuveliseni ukuxhaphaka okusebenzayo okuqhuba kuqwalaselo olungagqibekanga kunikezelo oluninzi lweLinux.
Kuyakhankanywa ukuba ingxaki ikhona kusetyenziso lwe pkexec olubandakanyiweyo nePolKit, eza nengcambu yeflegi ye-SUID kwaye yenzelwe ukwenza imiyalelo ngamalungelo abanye abasebenzisi ngokwemigaqo yePolKit.
Ngenxa yokuphathwa kakubi kweengxoxo ukusuka kumgca womyalelo ogqithiselwe kwi pkexec, a umsebenzisi ongenalungelo angagqitha uqinisekiso kwaye abe nekhowudi yakho iqhutywe njengengcambu, kungakhathaliseki ukuba yeyiphi imigaqo yokufikelela esekiweyo. Kuhlaselo, nokuba zeziphi izicwangciso kunye nezithintelo ezibekwe kwi-PolKit, kwanele ukuba i-SUID yophawu loyelelwano lwengcambu lumiselwe ifayile ephunyezwayo nge pkexec eluncedo.
I-Pkexec ayijongi ukuchaneka Ubalo lwempikiswano yomgca womyalelo (argc) egqithisiweyo xa uqalwa inkqubo. Abaphuhlisi be-pkexec bacinge ukuba ungeno lokuqala kuluhlu lwe-argv luhlala lunegama lenkqubo (pkexec), kwaye ungeno lwesibini ngu-NULL okanye igama lomyalelo owenziwe nge-pkexec.
Ukusukela ukuba ikhawuntala yempikiswano ayizange ithelekiswe nemixholo eyiyo yoluhlu kwaye yacingelwa ukuba isoloko ingaphezulu kwe-1, ukuba uluhlu lwe argv olungenanto lugqithiselwe kwinkqubo, apho umsebenzi owenziweyo we Linux uvumelayo, i pkexec iphathe iNULL njengengxabano yokuqala. Igama lenkqubo), kunye nelandelayo emva kokuphuma kwimemori yesikhuseli, njengemixholo elandelayo yoluhlu.
Ingxaki kukuba emva koluhlu lwe-argv kwinkumbulo luluhlu lwe-envp oluqulethe izinto eziguquguqukayo zokusingqongileyo. Ngoko ke, nge-argv engenanto, i-pkexec ikhupha idatha malunga nomyalelo owenziwe ngamalungelo aphezulu ukusuka kwinto yokuqala yoluhlu olunezinto eziguquguqukayo zendalo (argv[1] yafana ne-envp[0]), imixholo yayo inokulawulwa ngu umhlaseli.
Emva kokufumana ixabiso argv[1], i-pkexec izama ukumisela umendo opheleleyo kwifayile ephunyezwayo usebenzisa iindlela zefayile ku- PATH kwaye ibhala isalathisi kumtya ngendlela epheleleyo ebuyela kwi argv[1], ekhokelela ekubhaleni ngaphezulu kwexabiso le ukuguquguquka kokuqala kokusingqongileyo ngokunjalo, kuba i-argv[1] ifana ne-envp[0]. Ngokuphatha igama lemo eguquguqukayo yokuqala, umhlaseli unokutshintsha enye imo eguquguqukayo kwi pkexec, umzekelo, endaweni yemo engqongileyo "LD_PRELOAD", engavumelekanga kwiinkqubo ze-suid, kwaye ibangele inkqubo yokulayisha ilayibrari ekwabelwana ngayo inkqubo.
Ukuxhaphaza okusebenzayo kusebenzisa i-GCONV_PATH yokutshintsha okuguquguqukayo, esetyenziswa ukumisela indlela eya kwisimboli yogqithiso lweekhowudi kwilayibrari elayishwe ngamandla xa ubiza umsebenzi g_printerr(), esebenzisa iconv_open() kwikhowudi yakho.
Ngokuphinda uchaze umendo kwi-GCONV_PATH, umhlaseli unokulawula ukulayisha hayi ilayibrari ye-iconv eqhelekileyo, kodwa ilayibrari yakhe, abaqhubi bayo abaya kuphunyezwa ngexesha lomyalezo wemposiso kwinqanaba xa i-pkexec isasebenza njengengcambu naphambi kokuqinisekisa. iimvume zokuqalisa.
Kuyaqwalaselwa ukuba, nangona umba ngenxa yokonakala kwememori, ingasetyenziswa ngokuthembekileyo nangokuphindaphindiweyo, kungakhathaliseki ukuba i-architecture ye-hardware esetyenzisiweyo.
Ukuxhaphaza kulungiselelwe ivavanywe ngempumelelo ku-Ubuntu, iDebian, iFedora kunye neCentOS, kodwa inokusetyenziswa kolunye unikezelo. I-exploit yasekuqaleni ayikafumaneki esidlangalaleni, ebonisa ukuba iyinto encinci kwaye inokuphinda iphinde iphinde yenziwe ngabanye abaphandi, ngoko kubalulekile ukufaka uhlaziyo lwe-hotfix ngokukhawuleza kwiinkqubo zabasebenzisi abaninzi.
I-Polkit ikwafumaneka kwiinkqubo ze-BSD kunye ne-Solaris, kodwa ayikaphononongwa ukuze isetyenziswe. Into eyaziwayo kukuba uhlaselo alunakwenziwa kwi-OpenBSD, kuba i-OpenBSD kernel ayikuvumeli ukudlula i-null argc ixabiso xa ufowunela execve ().
Umba ukhona ukususela ngoMeyi 2009 xa umyalelo wepkexec wongezwa. Ukulungiswa kobuthathaka kwi-PolKit lusafumaneka njengephetshi (uguqulelo lolungiso alukenziwa), kodwa ekubeni abaphuhlisi bosasazo bazisiwe kwangaphambili malunga nengxaki, uninzi losasazo lukhuphe uhlaziyo ngaxeshanye kunokubhengezwa kobuthathaka. ulwazi.
Gqibela ukuba unomdla wokwazi okungakumbi ngayo, ungazijonga iinkcukacha kwi eli khonkco lilandelayo.