Alert Logic has dismissed criticism of its research into the Linux bug it named grinch.
Last week, Alert Logic said that grinch exists in the new authorisation system that allows privilege escalation through Wheel, bypassing it by using the existing polkit authentication.
“Wheel users have access to all system commands including the ability to install any package or code,” Stephen Coty, chief security evangelist at Alert Logic said. “We can abuse the user’s group privileges to give us access, thus granting direct authentication bypass, even if the wheel user cannot get root like in Ubuntu ecosystems.”
However, a blog by Trend Micro dismissed the sale of the flaw as more a “common overly permissive configuration of many Linux systems”. It said: “The scope of this vulnerability is very limited. Grinch is not remotely exploitable; it requires that an attacker have physical access the server they want to attack. In addition, the attacker must already have access to an account in the wheels group (i.e., already have elevated privileges as local administrators), polkit must be installed, and the PackageKit package management system must be in use.
“The barriers to exploitation are significant; in a very real way to exploit this flaw you must already have very high levels of access, making exploiting this ‘vulnerability’ unnecessary.”
Also critical were Red Hat, who said that the research “incorrectly classifies expected behaviour as a security issue”.
It said: “The PackageKit console client is a utility which allows users in the Wheel group, also known as local administrators, to install packages. This utility allows local administrators to install packages without a password if they are a ‘local user’, meaning they are using the physical keyboard attached to the computer. If you are a user who does not have a physical console (such as a remote users connected via SSH), you must supply authentication credentials to install packages.
“Red Hat does not consider this to be a security issue or even a bug. This is the expected behaviour of the PackageKit console client.”
In an email to IT Security Guru, Coty admitted that the attack vector only works in certain Linux implementations, and affects more the non-tech savvy users that would implement Linux as an alternative to windows due to the efficiencies that Linux provides.
Asked if the “dismissal” was justified, he said: “Just because the architecture was built to perform this function, does not necessarily mean that it is secure or cannot lead to comprise. Intended behaviour does not always mean the feature cannot be abused or modified in the future to eliminate potential misuse.
“The way that Polkit is designed can lead to unexpected results or compromise. The issue is that there is a way to open up the surface area to attacks. If installing packages worked like every other operation, such as removing packages or adding repositories, and always asked for a password, then this wouldn’t have the abuse potential we’ve identified.”
Coty also said that Trend Micro’s claims that an attacker has to have physical access to the server that they want to attack was incorrect, as it it requires access to the command line on the box to perform these functions which c
an be achieved through a number of ways. “A User is compromised via client-side exploit such as browser, flash, mail client, etc,” he said.
Penetration tester and security researcher Robin Wood, said that he was not completely familiar with the flaw, but it did seem like expected behaviour rather than a bug, but it was also expected as far as the developers are concerned.
“I can see some abuses for it, but it is nothing worth losing sleep over at the moment,” he said. “Maybe in the future [it may be a concern] if someone can think of a good way to leverage it on mass scale.”
