Re: Security Problem with "PackageKit-command-not-found" package

2022-08-25 Thread Michael Catanzaro 
On Thu, Aug 25 2022 at 11:20:46 AM -, Sandipan Roy 
 wrote:
By this vulnerability any wheel user can install any packages without 
root access or sudo.


Hi, this is actually by design and not a vulnerability. The wheel user 
is definitionally an administrator user, and can escalate from wheel to 
root without abusing any vulnerability. It might be more intuitive if 
you consider that wheel users have unrestricted access to sudo. So 
yeah, you can use PackageKit to install sqliteODBC or Sympa and abuse 
them to elevate privileges... or you could just run sudo and not 
bother, right?


The JavaScript rule in question here actually has nothing to do with 
authorization, only with *authentication*. It disables the password 
prompt that forces the human sitting at the computer to authenticate. 
This means a local attacker with physical access to the computer -- 
e.g. a secret agent from the FBI or KGB or Mossad -- can install 
packages on your computer if you leave your desktop unlocked and walk 
away, or if they attack you with a hammer. But this has no effect on 
authorization. Notably, if the password prompt were required, it would 
be asking you for the password *to your wheel account*. Fedora's root 
account is locked by default anyway, with no root password and no way 
to authenticate as root.


Since most Fedora users are not too worried about secret agents, the 
extra password prompt is annoying rather than useful. It's totally 
reasonable to skip authentication for users who *already* authenticated 
when logging into the desktop, right? Users who don't have wheel still 
have to authenticate as a user who does, or they won't be able to 
install anything.


That said, there is a bug here, just not where you thought. Look at 
this comment:


   

If that were true, then unprivileged users really could install 
vulnerable packages like sqliteODBC or Sympa and thereby elevate 
privileges. Fortunately, the comment is totally wrong as it doesn't 
match the actual security policy. Looking at the history of this file, 
it looks like this comment was correct when it was written on August 
21, 2007, but the policy was changed to be more restrictive later the 
same day. Here is a pull request to fix it:


https://github.com/PackageKit/PackageKit/pull/568

Michael

___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Re: Security Problem with "PackageKit-command-not-found" package

2022-08-25 Thread Vitaly Zaitsev via devel 

On 25/08/2022 13:20, Sandipan Roy wrote:

I'm Sandipan Roy [FAS: ByteHackr], I wanted to share a serious system wide 
problem with PackageKit-command-not-found [1] package.


Not a bug, but a feature. Members of the wheel group, also known as 
"admin users", can install any packages using PackageKit without 
entering their password.


--
Sincerely,
  Vitaly Zaitsev (vit...@easycoding.org)
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Re: Security Problem with "PackageKit-command-not-found" package

2022-08-25 Thread Sandipan Roy 
Some CVEs are appeared because of this issue,
Details + Analysis found at:
https://sysdream.com/abusing-packagekit-fedora-centos-for/
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Re: Security Problem with "PackageKit-command-not-found" package

2022-08-25 Thread Sandipan Roy 
Wheel user rule for packagekit

$ sudo cat /usr/share/polkit-1/rules.d/org.freedesktop.packagekit.rules
[sudo] password for sandipan: 
polkit.addRule(function(action, subject) {
if ((action.id == "org.freedesktop.packagekit.package-install" ||
 action.id == "org.freedesktop.packagekit.package-remove") &&
subject.active == true && subject.local == true &&
subject.isInGroup("wheel")) {
return polkit.Result.YES;
}
});
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Security Problem with "PackageKit-command-not-found" package

2022-08-25 Thread Sandipan Roy 
Hello World,

I'm Sandipan Roy [FAS: ByteHackr], I wanted to share a serious system wide 
problem with PackageKit-command-not-found [1] package. 
Can you guys give some feedback if I can submit a system wide change proposal 
to remove this because its a poor system design.
By this vulnerability any wheel user can install any packages without root 
access or sudo.

Reproducer: 

Open up any bash terminal. Type in the name of a package that doesn't installed 
already (eg. nemo, irssi), I can reproduce in F36-KDE.
In workstation not reproducible.

Analysis:

$ rpm -qf /etc/profile.d/PackageKit.sh
PackageKit-command-not-found-1.2.5-1.fc36.x86_64

$ rpm -ql PackageKit-command-not-found-1.2.5-1.fc36.x86_64
/etc/PackageKit/CommandNotFound.conf
/etc/profile.d/PackageKit.sh
/usr/lib/.build-id
/usr/lib/.build-id/86
/usr/lib/.build-id/86/7d08bc388e2cd2dbb8523e0a4662e19045bf4d
/usr/libexec/pk-command-not-found

$ which command_not_found_handle
command_not_found_handle ()
{ 
local runcnf=1;
local retval=127;
[[ $- == *"i"* ]] || runcnf=0;
[[ ! -S /run/dbus/system_bus_socket ]] && runcnf=0;
[[ ! -x '/usr/libexec/packagekitd' ]] && runcnf=0;
[[ -n ${COMP_CWORD-} ]] && runcnf=0;
[[ ! -x '/usr/libexec/pk-command-not-found' ]] && runcnf=0;
if [ $runcnf -eq 1 ]; then
'/usr/libexec/pk-command-not-found' "$@";
retval=$?;
else
if [[ -n "${BASH_VERSION-}" ]]; then
printf 'bash: %s%s\n' "${1:+$1: }" "$(gettext PackageKit 'command 
not found')" 1>&2;
fi;
fi;
return $retval
}

[1] 
https://fedoraproject.org/wiki/Features/PackageKitCommandNotFound#PackageKit_Command_Not_Found


Thanks,
Sandipan Roy
Associate Product Security Engineer
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue