Open ArrayBolt3 opened 1 month ago
@ArrayBolt3,
Thanks for sharing this very detailed description of the issue.
It's ironic, many years ago, Cubic did require a sudo password to launch the application.
You're suggesting to not use pkexec
and run cubic with elevated privileges (once the user correctly enters the sudo password)?
That may be one solution, though running a graphical application as sudo has problems of its own. I was suggesting perhaps having Cubic request the user's password at some early stage and save it in a variable, to be used in sudo or pkexec calls later. That way the user would have to input their password in order to use Cubic, but would need to enter it only once.
This vulnerability was reported privately a little over a month ago. I did not receive a response.
Describe the bug
Cubic installs a pkexec policy under
/usr/share/polkit-1/actions/cubic.policy
that allows many subcomponents of it to be run with root privileges without the user needing to provide a password. Among these components areextract-root
(for unpacking an Ubuntu ISO's squashfs file while preserving file permissions), andstart-console
, which is used by Cubic to provide a true root shell within an unpacked ISO root directory. If the ISO unpacked by Cubic provides a user-writable directory (such as/tmp
), a malicious user can place an executable into the user-writable directory from outside Cubic, and leverage Cubic's privileges to change the ownership of the executable toroot
and set the SUID bit. At this point the malicious user can execute the executable from outside Cubic and run arbitrary code on the host as root.This vulnerability requires the presence of an ISO that Cubic can extract that provides a user-writable directory in its filesystem tree. If that ISO is present or able to be uploaded to the target machine, the vuln may be exploitable if the user can run the
extract-root
andstart-console
scripts, even with terminal-only access. It is definitely exploitable if the user has the ability to launch Cubic graphically. I have not attempted to exploit it with terminal-only access, but have succeeded exploiting it on my local system with graphical access.To Reproduce
main.c
:int main() { const char sudo = "/usr/bin/sudo"; const char bash = "/usr/bin/bash"; char *args[2]; args[0] = sudo; args[1] = bash; setuid(0); execv(sudo, args); }