A new bug in Linux has been detected which bypasses the “Wheel” group of advanced permissions.
According to detection by Alert Logic, the bug is seasonally called “grinch” and impacts all Linux platforms, including mobile devices. Stephen Coty, chief security evangelist at Alert Logic, said that grinch exists in the new authorisation system that allows privilege escalation through Wheel; a user group that is used on Linux systems to control access to su (superuser) commands.
“The flaw does not allow permissions to Wheel, it bypasses it by using the existing polkit authentication,” he said. “Wheel users have access to all system commands including the ability to install any package or code.”
When a Linux system is built, the default user is assigned to the Wheel group that allows for administrative task execution within the system. However, by abusing group privileges, the user’s password (or root when Sudo is not utilised) is no longer needed, so if an attacker were to compromise the user through a client-side vulnerability or any privilege escalation on the box itself, they would no longer need to worry about cached Sudo authorisation timestamp tokens, or trying to trick users into providing their credentials.
“Instead, we can abuse the user’s group privileges to give us access, thus granting direct authentication bypass, even if the wheel user cannot get root like in Ubuntu ecosystems,” Coty said.
He said that the flaw will mostly affect home users who run on an account with Wheel, which includes most people, as they need Sudo.
He said that if a user were to be compromised through a client-side vulnerability or any privilege escalation on the box itself, there would be no to problem with cached Sudo authorisation timestamp tokens or trying to trick users into providing their credentials with bashrc, environment modifications, or other means. “Instead, we can abuse the user’s group privileges to give us access, thus granting direct authentication bypass, even if the wheel user cannot get root like in Ubuntu ecosystems.,” he said.
In an email to IT Security Guru, Coty said that most privileged system operations are already controlled by Polkit, which can be used by privileged processes to decide if it should execute privileged operations on behalf of the requesting user.
“Polkit can be used by privileged processes to decide if it should execute privileged operations on behalf of the requesting user,” he said. “Polkit is used for controlling system-wide privileges. It provides an organised way for non-privileged processes to communicate with privileged ones. In contrast to systems such as sudo, it does not grant root permission to an entire process, but rather allows a finer level of control of centralised system policy.”
Asked what the impact of this flaw will be on the wider internet, Coty said that this bug will affect all default installations of Linux, including most people, as they need Sudo to execute any system. “Fixing the issue is as simple as managing PolKit authorisation rules or properly managing group privileges for users,” he said.
At worst, Coty said that a malicious user could remote install packages on a server that could allow from everything from Botnet control to a remote access Trojan installation.
