Linux users with limited privileges could execute any command

Share this…


Various Linux distributions might be affected by this new vulnerability

Digital forensics experts from the International Institute of Cyber Security report that, thanks to a recently discovered vulnerability, a user account with limited privileges on most Linux operating systems with a UID value greater than 2147483647 could run any SYSTEMCTL command without authorization.

The vulnerability resides in PolicyKit (also known as Polkit), a set of tools for Unix-like operating systems that defines policies, manages system-wide privileges, and provides a way for processes that do not require privileges to communicate with those who do require them.

This security issue, tracked as CVE-2018-19788, affects PolicyKit version 0115, which is pre-installed on the most popular Linux distributions, including Red Hat, Debian, Ubuntu and CentOS, according to digital forensics experts report.

The vulnerability exists due to the incorrect validation that PolicyKit performs for permissions requests for any user with low privileges with UID greater than INT_MAX, which is a constant widely used in programming that defines the maximum value that can store an entire variable, which is equivalent to 2147483647 (in hexadecimal 0x7FFFFFFF).

This means that if you create a user account on affected Linux systems with a UID greater than the INT_MAX value, the PolicyKit component will allow the user to execute any SYSTEMCTL command successfully.

The digital forensics expert Rich Mirch, known on Twitter as “0xm1rch”, has also launched the proof of concept of an exploit to demonstrate this vulnerability. Several Linux distros have recommended system administrators do not allow UID or UID over 2147483646 to mitigate attack risks until the corresponding update patch is available.