Vulnerabilities > CVE-2011-1485 - Race Condition vulnerability in Redhat Policykit 0.96
Attack vector
LOCAL Attack complexity
MEDIUM Privileges required
NONE Confidentiality impact
COMPLETE Integrity impact
COMPLETE Availability impact
COMPLETE Summary
Race condition in the pkexec utility and polkitd daemon in PolicyKit (aka polkit) 0.96 allows local users to gain privileges by executing a setuid program from pkexec, related to the use of the effective user ID instead of the real user ID.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 1 |
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Leveraging Race Conditions This attack targets a race condition occurring when multiple processes access and manipulate the same resource concurrently and the outcome of the execution depends on the particular order in which the access takes place. The attacker can leverage a race condition by "running the race", modifying the resource and modifying the normal execution flow. For instance a race condition can occur while accessing a file, the attacker can trick the system by replacing the original file with his version and cause the system to read the malicious file.
- Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions This attack targets a race condition occurring between the time of check (state) for a resource and the time of use of a resource. The typical example is the file access. The attacker can leverage a file access race condition by "running the race", meaning that he would modify the resource between the first time the target program accesses the file and the time the target program uses the file. During that period of time, the attacker could do something such as replace the file and cause an escalation of privilege.
Exploit-Db
description pkexec - Race Condition Privilege Escalation Exploit. CVE-2011-1485. Local exploit for linux platform id EDB-ID:17942 last seen 2016-02-02 modified 2011-10-08 published 2011-10-08 reporter xi4oyu source https://www.exploit-db.com/download/17942/ title pkexec - Race Condition Privilege Escalation Exploit description PolicyKit Pwnage: linux local privilege escalation on polkit-1. CVE-2011-1485. Local exploit for linux platform id EDB-ID:17932 last seen 2016-02-02 modified 2011-10-05 published 2011-10-05 reporter zx2c4 source https://www.exploit-db.com/download/17932/ title PolicyKit polkit-1 <= 0.101 - Linux Local Privilege Escalation description Linux PolicyKit Race Condition Privilege Escalation. CVE-2011-1485. Local exploit for linux platform id EDB-ID:35021 last seen 2016-02-04 modified 2014-10-20 published 2014-10-20 reporter metasploit source https://www.exploit-db.com/download/35021/ title Linux PolicyKit - Race Condition Privilege Escalation
Metasploit
| description | A race condition flaw was found in the PolicyKit pkexec utility and polkitd daemon. A local user could use this flaw to appear as a privileged user to pkexec, allowing them to execute arbitrary commands as root by running those commands with pkexec. Those vulnerable include RHEL6 prior to polkit-0.96-2.el6_0.1 and Ubuntu libpolkit-backend-1 prior to 0.96-2ubuntu1.1 (10.10) 0.96-2ubuntu0.1 (10.04 LTS) and 0.94-1ubuntu1.1 (9.10) |
| id | MSF:EXPLOIT/LINUX/LOCAL/PKEXEC |
| last seen | 2020-05-21 |
| modified | 2018-10-10 |
| published | 2014-10-03 |
| references | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1485 |
| reporter | Rapid7 |
| source | https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/local/pkexec.rb |
| title | Linux PolicyKit Race Condition Privilege Escalation |
Nessus
NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2011-0455.NASL description Updated polkit packages that fix one security issue are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. PolicyKit is a toolkit for defining and handling authorizations. A race condition flaw was found in the PolicyKit pkexec utility and polkitd daemon. A local user could use this flaw to appear as a privileged user to pkexec, allowing them to execute arbitrary commands as root by running those commands with pkexec. (CVE-2011-1485) Red Hat would like to thank Neel Mehta of Google for reporting this issue. All polkit users should upgrade to these updated packages, which contain backported patches to correct this issue. The system must be rebooted for this update to take effect. last seen 2020-06-01 modified 2020-06-02 plugin id 53500 published 2011-04-20 reporter This script is Copyright (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/53500 title RHEL 6 : polkit (RHSA-2011:0455) NASL family Slackware Local Security Checks NASL id SLACKWARE_SSA_2011-109-01.NASL description New polkit packages are available for Slackware 13.1 and -current to fix a security issue. last seen 2020-06-01 modified 2020-06-02 plugin id 54903 published 2011-05-28 reporter This script is Copyright (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/54903 title Slackware 13.1 / current : polkit (SSA:2011-109-01) NASL family Scientific Linux Local Security Checks NASL id SL_20110419_POLKIT_ON_SL6_X.NASL description A race condition flaw was found in the PolicyKit pkexec utility and polkitd daemon. A local user could use this flaw to appear as a privileged user to pkexec, allowing them to execute arbitrary commands as root by running those commands with pkexec. (CVE-2011-1485) The system must be rebooted for this update to take effect. last seen 2020-06-01 modified 2020-06-02 plugin id 61021 published 2012-08-01 reporter This script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/61021 title Scientific Linux Security Update : polkit on SL6.x i386/x86_64 NASL family Fedora Local Security Checks NASL id FEDORA_2011-5676.NASL description - Tue Apr 19 2011 David Zeuthen <davidz at redhat.com> - 0.98-5 - CVE-2011-1485 (#697951) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 53849 published 2011-05-10 reporter This script is Copyright (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/53849 title Fedora 14 : polkit-0.98-5.fc14 (2011-5676) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-2319.NASL description Neel Mehta discovered that a race condition in Policykit, a framework for managing administrative policies and privileges, allowed local users to elevate privileges by executing a setuid program from pkexec. The oldstable distribution (lenny) does not contain the policykit-1 package. last seen 2020-03-17 modified 2011-10-10 plugin id 56414 published 2011-10-10 reporter This script is Copyright (C) 2011-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/56414 title Debian DSA-2319-1 : policykit-1 - race condition NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2011-0455.NASL description From Red Hat Security Advisory 2011:0455 : Updated polkit packages that fix one security issue are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. PolicyKit is a toolkit for defining and handling authorizations. A race condition flaw was found in the PolicyKit pkexec utility and polkitd daemon. A local user could use this flaw to appear as a privileged user to pkexec, allowing them to execute arbitrary commands as root by running those commands with pkexec. (CVE-2011-1485) Red Hat would like to thank Neel Mehta of Google for reporting this issue. All polkit users should upgrade to these updated packages, which contain backported patches to correct this issue. The system must be rebooted for this update to take effect. last seen 2020-06-01 modified 2020-06-02 plugin id 68258 published 2013-07-12 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/68258 title Oracle Linux 6 : polkit (ELSA-2011-0455) NASL family Fedora Local Security Checks NASL id FEDORA_2011-5589.NASL description - Bug #692922 - CVE-2011-1485 polkitd/pkexec vulnerability Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 53537 published 2011-04-23 reporter This script is Copyright (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/53537 title Fedora 15 : polkit-0.101-5.fc15 (2011-5589) NASL family OracleVM Local Security Checks NASL id ORACLEVM_OVMSA-2019-0008.NASL description The remote OracleVM system is missing necessary patches to address critical security updates : - Fix of CVE-2019-6133, PID reuse via slow fork - Resolves: rhbz#1667310 last seen 2020-06-01 modified 2020-06-02 plugin id 122573 published 2019-03-04 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/122573 title OracleVM 3.3 / 3.4 : polkit (OVMSA-2019-0008) NASL family SuSE Local Security Checks NASL id SUSE_11_3_LIBPOLKIT0-110427.NASL description A race condition exists in pkexec while trying to determine its caller which could lead to privilege escalation. CVE-2011-1485 has been assigned to this issue. last seen 2020-06-01 modified 2020-06-02 plugin id 75605 published 2014-06-13 reporter This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/75605 title openSUSE Security Update : libpolkit0 (openSUSE-SU-2011:0412-1) NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-201204-06.NASL description The remote host is affected by the vulnerability described in GLSA-201204-06 (PolicyKit: Multiple vulnerabilities) Multiple vulnerabilities have been found in PolicyKit: Error messages in the pkexec utility disclose the existence of local files (CVE-2010-0750). The pkexec utility initially checks the effective user ID of its parent process for authorization, instead of checking the real user ID (CVE-2011-1485). Members of the last seen 2020-06-01 modified 2020-06-02 plugin id 59622 published 2012-06-21 reporter This script is Copyright (C) 2012-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/59622 title GLSA-201204-06 : PolicyKit: Multiple vulnerabilities NASL family SuSE Local Security Checks NASL id SUSE_11_4_LIBPOLKIT0-110427.NASL description A race condition exists in pkexec while trying to determine its caller which could lead to privilege escalation. CVE-2011-1485 has been assigned to this issue. last seen 2020-06-01 modified 2020-06-02 plugin id 75915 published 2014-06-13 reporter This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/75915 title openSUSE Security Update : libpolkit0 (openSUSE-SU-2011:0413-1) NASL family Mandriva Local Security Checks NASL id MANDRIVA_MDVSA-2011-086.NASL description A vulnerability has been found and corrected in polkit : A race condition flaw was found in the PolicyKit pkexec utility and polkitd daemon. A local user could use this flaw to appear as a privileged user to pkexec, allowing them to execute arbitrary commands as root by running those commands with pkexec (CVE-2011-1485). The updated packages have been patched to correct this issue. last seen 2020-06-01 modified 2020-06-02 plugin id 53910 published 2011-05-16 reporter This script is Copyright (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/53910 title Mandriva Linux Security Advisory : polkit (MDVSA-2011:086) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-1117-1.NASL description Neel Mehta discovered that PolicyKit did not correctly verify the user making authorization requests. A local attacker could exploit this to trick pkexec into running applications with root privileges. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 55075 published 2011-06-13 reporter Ubuntu Security Notice (C) 2011-2019 Canonical, Inc. / NASL script (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/55075 title Ubuntu 9.10 / 10.04 LTS / 10.10 : policykit-1 vulnerability (USN-1117-1)
Packetstorm
data source https://packetstormsecurity.com/files/download/105628/pkexec-race.txt id PACKETSTORM:105628 last seen 2016-12-05 published 2011-10-09 reporter xi4oyu source https://packetstormsecurity.com/files/105628/pkexec-Race-Condition.html title pkexec Race Condition data source https://packetstormsecurity.com/files/download/128742/pkexec.rb.txt id PACKETSTORM:128742 last seen 2016-12-05 published 2014-10-18 reporter xi4oyu source https://packetstormsecurity.com/files/128742/Linux-PolicyKit-Race-Condition-Privilege-Escalation.html title Linux PolicyKit Race Condition Privilege Escalation data source https://packetstormsecurity.com/files/download/105627/pkexec.sh.txt id PACKETSTORM:105627 last seen 2016-12-05 published 2011-10-09 reporter Ev1lut10n source https://packetstormsecurity.com/files/105627/Linux-pkexec-polkitd-0.96-Race-Condition.html title Linux pkexec / polkitd 0.96 Race Condition
Redhat
| advisories |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| rpms |
|
Seebug
bulletinFamily exploit description No description provided by source. id SSV:87343 last seen 2017-11-19 modified 2014-11-13 published 2014-11-13 reporter Root source https://www.seebug.org/vuldb/ssvid-87343 title Linux PolicyKit Race Condition Privilege Escalation bulletinFamily exploit description No description provided by source. id SSV:72198 last seen 2017-11-19 modified 2014-07-01 published 2014-07-01 reporter Root source https://www.seebug.org/vuldb/ssvid-72198 title pkexec Race Condition Privilege Escalation Exploit bulletinFamily exploit description No description provided by source. id SSV:72190 last seen 2017-11-19 modified 2014-07-01 published 2014-07-01 reporter Root source https://www.seebug.org/vuldb/ssvid-72190 title PolicyKit polkit-1 <= 0.101- linux local privilege escalation bulletinFamily exploit description No description provided by source. id SSV:20971 last seen 2017-11-19 modified 2011-10-06 published 2011-10-06 reporter Root source https://www.seebug.org/vuldb/ssvid-20971 title linux local privilege escalation on polkit-1 <= 0.101
References
- http://lists.fedoraproject.org/pipermail/package-announce/2011-April/058752.html
- http://lists.fedoraproject.org/pipermail/package-announce/2011-May/059859.html
- http://secunia.com/advisories/48817
- http://security.gentoo.org/glsa/glsa-201204-06.xml
- http://securityreason.com/securityalert/8424
- http://www.debian.org/security/2011/dsa-2319
- http://www.mandriva.com/security/advisories?name=MDVSA-2011:086
- http://www.redhat.com/support/errata/RHSA-2011-0455.html
- http://www.ubuntu.com/usn/USN-1117-1
- https://bugzilla.redhat.com/show_bug.cgi?id=692922