Allele Security Alert
ASA-2018-00067
Identifier(s)
ASA-2018-00067, CVE-2018-19788
Title
Improper handling of user with uid > INT_MAX leading to authentication bypass
Vendor(s)
freedesktop.org
Product(s)
PolicyKit
Affected version(s)
PolicyKit 0.115
Fixed version(s)
Unknown
Proof of concept
Yes
Description
It was discovered that incorrect processing of very high UIDs in Policykit, a framework for managing administrative policies and privileges, could result in authentication bypass.
Technical details
When a user or group above INT32_MAX is created, the numeric uid or gid wraps around to negative when the value is assigned to gint, and polkit gets confused.
Credits
4z3 ‘tv’ (https://github.com/4z3, https://gitlab.freedesktop.org/4z3)
Reference(s)
PolicyKit: CVE-2018-19788: Improper handling of user with uid > INT_MAX leading to authentication bypass
https://seclists.org/oss-sec/2018/q4/198
unprivileged users with UID > INT_MAX can successfully execute any systemctl command
https://gitlab.freedesktop.org/polkit/polkit/issues/74
unprivileged users with UID > INT_MAX can successfully execute any systemctl command
https://github.com/systemd/systemd/issues/11026
PoC for CVE-2018-19788
https://github.com/mirchr/security-research/blob/master/vulnerabilities/CVE-2018-19788.sh
DSA-4350-1 policykit-1 — security update
https://www.debian.org/security/2018/dsa-4350
CVE-2018-19788
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19788
CVE-2018-19788
https://nvd.nist.gov/vuln/detail/CVE-2018-19788
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: February 1, 2019