ASA-2018-00067 – PolicyKit: Improper handling of user with uid > INT_MAX leading to authentication bypass


Allele Security Alert

ASA-2018-00067

Identifier(s)

ASA-2018-00067, CVE-2018-19788

Title

Improper handling of user with uid > INT_MAX leading to authentication bypass

Vendor(s)

freedesktop.org

Product(s)

PolicyKit

Affected version(s)

PolicyKit 0.115

Fixed version(s)

Unknown

Proof of concept

Yes

Description

It was discovered that incorrect processing of very high UIDs in Policykit, a framework for managing administrative policies and privileges, could result in authentication bypass.

Technical details

When a user or group above INT32_MAX is created, the numeric uid or gid wraps around to negative when the value is assigned to gint, and polkit gets confused.

Credits

4z3 ‘tv’ (https://github.com/4z3, https://gitlab.freedesktop.org/4z3)

Reference(s)

PolicyKit: CVE-2018-19788: Improper handling of user with uid > INT_MAX leading to authentication bypass
https://seclists.org/oss-sec/2018/q4/198

unprivileged users with UID > INT_MAX can successfully execute any systemctl command
https://gitlab.freedesktop.org/polkit/polkit/issues/74

unprivileged users with UID > INT_MAX can successfully execute any systemctl command
https://github.com/systemd/systemd/issues/11026

PoC for CVE-2018-19788
https://github.com/mirchr/security-research/blob/master/vulnerabilities/CVE-2018-19788.sh

DSA-4350-1 policykit-1 — security update
https://www.debian.org/security/2018/dsa-4350

CVE-2018-19788
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19788

CVE-2018-19788
https://nvd.nist.gov/vuln/detail/CVE-2018-19788

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: February 1, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.