漏洞描述
近日,國外安全團隊發布安全公告稱,在 polkit 的 pkexec 程序中發現了一個本地權限提升漏洞。pkexec 應用程序是一個 setuid 工具,旨在允許非特權用戶根據預定義的策略以特權用戶身份運行命令。由於當前版本的 pkexec 無法正確處理調用參數計數,並最終會嘗試將環境變量作為命令執行。攻擊者可以通過控制環境變量,從而誘導 pkexec 執行任意代碼。利用成功后,可導致非特權用戶獲得管理員權限。CVE-2021-4034
polkit 的 pkexec 存在本地權限提升漏洞,已獲得普通權限的攻擊者可通過此漏洞獲取root權限。
目前漏洞POC已被泄露,攻擊者利用該漏洞可導致惡意用戶權限提升等危害
該漏洞CVSS評分:7.8
危害等級:高危
【受影響版本】
由於為系統預裝工具,目前主流Linux版本均受影響
【官方通告】
CentOS系列:
CentOS 6:polkit-0.96-11.el6_10.2
CentOS 7:polkit-0.112-26.el7_9.1
CentOS 8.0:polkit-0.115-13.el8_5.1
CentOS 8.2:polkit-0.115-11.el8_2.2
CentOS 8.4:polkit-0.115-11.el8_4.2
Ubuntu系列:
Ubuntu 20.04 LTS:policykit-1 - 0.105-26ubuntu1.2
Ubuntu 18.04 LTS:policykit-1 - 0.105-20ubuntu0.18.04.6
Ubuntu 16.04 ESM:policykit-1 - 0.105-14.1ubuntu0.5+esm1
Ubuntu 14.04 ESM:policykit-1 - 0.105-4ubuntu3.14.04.6+esm1
【修復建議】
目前各Linux發行版官方均已給出安全補丁,建議用戶盡快升級至安全版本,或參照官方說明措施進行緩解,CentOS、Ubuntu及Debian用戶可參考以下鏈接:
https://ubuntu.com/security/CVE-2021-4034
https://access.redhat.com/security/cve/CVE-2021-4034
https://security-tracker.debian.org/tracker/CVE-2021-4034
截止到目前2022/01/27, CentOS目前已提供安全更新包
下載地址:http://mirror.centos.org/centos/7/updates/x86_64/Packages/
版本漏洞驗證
通過以下命令可查看Polkit是否為安全版本
[root@node01 ~]# rpm -qa polkit
polkit-0.112-26.el7_9.1.x86_64
漏洞復現POC--修復前
[root@node02 ~]# cat /etc/redhat-release
CentOS Linux release 7.6.1810 (Core)
[root@node02 ~]# uname -a
Linux node02 3.10.0-957.el7.x86_64 #1 SMP Thu Nov 8 23:39:32 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
[root@node02 ~]# rpm -aq | grep polkit
polkit-pkla-compat-0.1-4.el7.x86_64
polkit-0.112-18.el7.x86_64
[root@node02 ~]# useradd liangliang
[root@node02 ~]# passwd liangliang
Changing password for user liangliang.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
[root@node02 ~]# ls
10000.sh 1000.sh anaconda-ks.cfg cve-2021-4034-poc
[root@node02 ~]# cp cve-2021-4034-poc /home/liangliang/
[root@node02 ~]# chmod 755 /home/liangliang/cve-2021-4034-poc
[root@node02 ~]# su - liangliang
[liangliang@node02 ~]$ ./cve-2021-4034-poc
sh-4.2#
sh-4.2#
sh-4.2# id
uid=0(root) gid=0(root) groups=0(root),2334(liangliang)
sh-4.2# cat /etc/passwd
說明:普通用戶可以使用POC程序可以直接提權到root,漏洞風險非常高。
漏洞臨時修復方案pkexec權限調整
漏洞臨時緩解措施,調整pkexec權限,臨時緩解措施修復前和修復后s位
[root@node02 ~]# stat /usr/bin/pkexec #####為修改之前信息
File: ‘/usr/bin/pkexec’
Size: 23656 Blocks: 48 IO Block: 4096 regular file
Device: 802h/2050d Inode: 201351697 Links: 1
Access: (4755/-rwsr-xr-x) Uid: ( 0/ root) Gid: ( 0/ root)
Access: 2022-01-27 17:20:13.235841977 +0800
Modify: 2018-10-31 06:26:01.000000000 +0800
Change: 2022-01-27 17:20:03.518723115 +0800
Birth: -
[root@node02 ~]# ll /usr/bin/pkexec
-rwsr-xr-x. 1 root root 23656 Oct 31 2018 /usr/bin/pkexec
[liangliang@node02 ~]$ ll /usr/bin/pkexec
-rwxr-xr-x. 1 root root 23656 Oct 31 2018 /usr/bin/pkexec
[liangliang@node02 ~]$ exit
logout
[root@node02 ~]# stat /usr/bin/pkexec #####為修改之后信息
File: ‘/usr/bin/pkexec’
Size: 23656 Blocks: 48 IO Block: 4096 regular file
Device: 802h/2050d Inode: 201351697 Links: 1
Access: (0755/-rwxr-xr-x) Uid: ( 0/ root) Gid: ( 0/ root) ###s權限去掉
Access: 2022-01-27 17:22:13.235841977 +0800
Modify: 2018-10-31 06:26:01.000000000 +0800
Change: 2022-01-27 17:22:03.518723115 +0800
Birth: -
漏洞徹底修復方法之在線升級
修復建議:CentOS用戶官方源更新采用如下命令升級到安全版本或更高版本:
yum clean all && yum makecache
yum update polkit -y
[root@node01 ~]# yum update polkit -y
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
Resolving Dependencies
--> Running transaction check
---> Package polkit.x86_64 0:0.112-18.el7 will be updated
---> Package polkit.x86_64 0:0.112-26.el7_9.1 will be an update
--> Finished Dependency Resolution
Dependencies Resolved
===================================================================================================
Package Arch Version Repository Size
===================================================================================================
Updating:
polkit x86_64 0.112-26.el7_9.1 updates 170 k
Transaction Summary
===================================================================================================
Upgrade 1 Package
Total download size: 170 k
Downloading packages:
Delta RPMs disabled because /usr/bin/applydeltarpm not installed.
polkit-0.112-26.el7_9.1.x86_64.rpm | 170 kB 00:00:00
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Updating : polkit-0.112-26.el7_9.1.x86_64 1/2
Cleanup : polkit-0.112-18.el7.x86_64 2/2
Verifying : polkit-0.112-26.el7_9.1.x86_64 1/2
Verifying : polkit-0.112-18.el7.x86_64 2/2
Updated:
polkit.x86_64 0:0.112-26.el7_9.1
Complete!
[root@node01 ~]#
[root@node01 ~]# rpm -aq | grep polkit
polkit-pkla-compat-0.1-4.el7.x86_64
polkit-0.112-26.el7_9.1.x86_64
[root@node01 ~]#
驗證結果
[lianglab@node01 tmp]$ ./cve-2021-4034-poc
touch: cannot touch ‘GCONV_PATH=./pwnkit’: Permission denied
chmod: changing permissions of ‘GCONV_PATH=./pwnkit’: Operation not permitted
sh: pwnkit/gconv-modules: Permission denied
Segmentation fault (core dumped)
[lianglab@node01 tmp]$
漏洞徹底修復方法之離線升級
wget http://mirror.centos.org/centos/7/updates/x86_64/Packages/polkit-0.112-26.el7_9.1.x86_64.rpm
rpm -Uvh polkit-0.112-26.el7_9.1.x86_64.rpm
rpm -aq | grep polkit #查看Polkit是否為安全版本
./cve-2021-4034-poc #驗證漏洞poc
[root@node03 src]# ls
cve-2021-4034-poc polkit-0.112-26.el7_9.1.x86_64.rpm sysinit.sh
[root@node03 src]# rpm -aq | grep polkit
polkit-pkla-compat-0.1-4.el7.x86_64
polkit-0.112-18.el7.x86_64
[root@node03 src]# rpm -Uvh polkit-0.112-26.el7_9.1.x86_64.rpm
Preparing... ################################# [100%]
Updating / installing...
1:polkit-0.112-26.el7_9.1 ################################# [ 50%]
Cleaning up / removing...
2:polkit-0.112-18.el7 ################################# [100%]
[root@node03 src]# rpm -aq | grep polkit
polkit-pkla-compat-0.1-4.el7.x86_64
polkit-0.112-26.el7_9.1.x86_64
[root@node03 src]# su - lianglab
Last login: Thu Jan 27 17:50:22 CST 2022 on pts/0
[lianglab@node03 ~]$ ls
[lianglab@node03 ~]$ cd /tmp/
[lianglab@node03 tmp]$ ./cve-2021-4034-poc
pkexec --version |
--help |
--disable-internal-agent |
[--user username] PROGRAM [ARGUMENTS...]
See the pkexec manual page for more details.
Report bugs to: http://lists.freedesktop.org/mailman/listinfo/polkit-devel
polkit home page: <http://www.freedesktop.org/wiki/Software/polkit>
[lianglab@node03 tmp]$
漏洞復現POC--修復后
1、臨時緩解措施,修改/usr/bin/pkexec后
[liangliang@node02 ~]$ ./cve-2021-4034-poc
GLib: Cannot convert message: Could not open converter from “UTF-8” to “PWNKIT”
pkexec must be setuid root
[liangliang@node02 ~]$ ll /usr/bin/pkexec
-rwxr-xr-x. 1 root root 23656 Oct 31 2018 /usr/bin/pkexec
2、安裝官方提供的升級包
[root@node01 tmp]# ./cve-2021-4034-poc
pkexec --version |
--help |
--disable-internal-agent |
[--user username] PROGRAM [ARGUMENTS...]
See the pkexec manual page for more details.
Report bugs to: http://lists.freedesktop.org/mailman/listinfo/polkit-devel
polkit home page: <http://www.freedesktop.org/wiki/Software/polkit>
[root@node01 tmp]# rpm -aq | grep polkit
polkit-pkla-compat-0.1-4.el7.x86_64
polkit-0.112-26.el7_9.1.x86_64
[root@node01 tmp]# stat /usr/bin/pkexec
File: ‘/usr/bin/pkexec’
Size: 27672 Blocks: 56 IO Block: 4096 regular file
Device: 802h/2050d Inode: 201732651 Links: 1
Access: (4755/-rwsr-xr-x) Uid: ( 0/ root) Gid: ( 0/ root)
Access: 2022-01-27 17:38:54.182253858 +0800
Modify: 2022-01-26 03:42:49.000000000 +0800
Change: 2022-01-27 14:22:41.682719484 +0800
Birth: -
[root@node01 tmp]#
[lianglab@node01 tmp]$ ./cve-2021-4034-poc
touch: cannot touch ‘GCONV_PATH=./pwnkit’: Permission denied
chmod: changing permissions of ‘GCONV_PATH=./pwnkit’: Operation not permitted
sh: pwnkit/gconv-modules: Permission denied
Segmentation fault (core dumped)
[lianglab@node01 tmp]$
https://access.redhat.com/errata/RHSA-2022:0274
截止到目前2022/01/26, CentOS目前已提供安全更新包
廣告時間
- 關於我 :全國7*24高效代維服務
- 微信:foreverops
- QQ:867266199
- 淘寶店:全國7*24高效代維服務
- 全國高效代維:為中小型企業,提供雲計算咨詢代維、架構設計、降低成本。
ACKRH5 1MAQ2P SM1B9D JTWNGP ACB971 6F269P CW4VWM 21RX1R
X-FORCE
lianglab
10-85-521173
08-16-2023
==================================
默認軟件源
deb http://mirrors.aliyun.com/ubuntu/ impish main restricted universe multiverse
deb http://mirrors.aliyun.com/ubuntu/ impish-updates main restricted universe multiverse
deb http://mirrors.aliyun.com/ubuntu/ impish-backports main restricted universe multiverse
deb http://mirrors.aliyun.com/ubuntu/ impish-security main restricted universe multiverse
源碼軟件源
deb-src http://mirrors.aliyun.com/ubuntu/ impish main restricted universe multiverse
deb-src http://mirrors.aliyun.com/ubuntu/ impish-updates main restricted universe multiverse
deb-src http://mirrors.aliyun.com/ubuntu/ impish-backports main restricted universe multiverse
deb-src http://mirrors.aliyun.com/ubuntu/ impish-security main restricted universe multiverse
=============================================================
# Ubuntu官方源
deb http://archive.ubuntu.com/ubuntu/ impish main restricted universe multiverse
deb-src http://archive.ubuntu.com/ubuntu/ impish main restricted universe multiverse
deb http://archive.ubuntu.com/ubuntu/ impish-updates main restricted universe multiverse
deb-src http://archive.ubuntu.com/ubuntu/ impish-updates main restricted universe multiverse
deb http://archive.ubuntu.com/ubuntu/ impish-security main restricted universe multiverse
deb-src http://archive.ubuntu.com/ubuntu/ impish-security main restricted universe multiverse
請注意,上述配置是基於Ubuntu 21.10的示例,如果你使用其他版本的Ubuntu,請相應地修改配置。
===============================================================================
#!/bin/bash
# 創建download目錄用於存儲下載內容
mkdir download
# 設置 Anaconda3 安裝目錄和版本
ANACONDA_INSTALL_DIR=~/anaconda3
ANACONDA_VERSION=2021.11
# 下載 Anaconda3 安裝腳本
wget https://mirrors.tuna.tsinghua.edu.cn/anaconda/miniconda/Miniconda3-py39_4.11.0-Linux-x86_64.sh -O ~/download/anaconda3.sh
# 安裝 Anaconda3
bash ~/download/anaconda3.sh -b -p $ANACONDA_INSTALL_DIR
echo 'the installation is completed...'
# 添加 Anaconda3 環境變量
echo 'export PATH=~/anaconda3/bin:$PATH' >> ~/.bashrc
source ~/.bashrc
echo 'the bashrc is completed...'
# 更換清華源
conda config --add channels https://mirrors.tuna.tsinghua.edu.cn/anaconda/pkgs/main/
conda config --add channels https://mirrors.tuna.tsinghua.edu.cn/anaconda/pkgs/free/
conda config --set show_channel_urls yes
echo 'the channels is completed...'
pip config set global.index-url http://mirrors.aliyun.com/pypi/simple/
pip config set install.trusted-host mirrors.aliyun.com
echo 'the channel of pip has been changed...'
conda
conda init
#!/bin/bash
# 創建download目錄用於存儲下載內容
mkdir -p ~/download
# 設置 Anaconda3 安裝目錄和版本
ANACONDA_INSTALL_DIR=~/anaconda3
ANACONDA_VERSION=2021.11
# 下載 Anaconda3 安裝腳本
wget https://mirrors.tuna.tsinghua.edu.cn/anaconda/miniconda/Miniconda3-py39_4.11.0-Linux-x86_64.sh -O ~/download/anaconda3.sh
# 安裝 Anaconda3
bash ~/download/anaconda3.sh -b -p $ANACONDA_INSTALL_DIR
echo 'the installation is completed...'
# 添加 Anaconda3 環境變量
echo 'export PATH=~/anaconda3/bin:$PATH' >> ~/.bashrc
source ~/.bashrc
echo 'the bashrc is completed...'
# 更換清華源
conda config --add channels https://mirrors.tuna.tsinghua.edu.cn/anaconda/pkgs/main/
conda config --add channels https://mirrors.tuna.tsinghua.edu.cn/anaconda/pkgs/free/
conda config --set show_channel_urls yes
echo 'the channels is completed...'
pip config set global.index-url http://mirrors.aliyun.com/pypi/simple/
pip config set install.trusted-host mirrors.aliyun.com
echo 'the channel of pip has been changed...'
conda
conda init
$ sudo dnf install https://download2.rstudio.org/server/rhel9/x86_64/rstudio-server-rhel-2023.03.0-386-x86_64.rpm
https://dailies.rstudio.com/version/2023.03.0+386/
https://www.yuque.com/liangliang-i3uti/hbhwqv/fdupsq714x97544u?singleDoc# 《環境安裝1》