ID CVE-2011-1485
Summary Race condition in the pkexec utility and polkitd daemon in PolicyKit (aka polkit) 0.96 allows local users to gain privileges by executing a setuid program from pkexec, related to the use of the effective user ID instead of the real user ID.
References
Vulnerable Configurations
  • cpe:2.3:a:redhat:policykit:0.96
    cpe:2.3:a:redhat:policykit:0.96
CVSS
Base: 6.9 (as of 01-06-2011 - 10:40)
Impact:
Exploitability:
CWE CWE-362
CAPEC
  • Leveraging Race Conditions
    This attack targets a race condition occurring when multiple processes access and manipulate the same resource concurrently and the outcome of the execution depends on the particular order in which the access takes place. The attacker can leverage a race condition by "running the race", modifying the resource and modifying the normal execution flow. For instance a race condition can occur while accessing a file, the attacker can trick the system by replacing the original file with his version and cause the system to read the malicious file.
  • Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions
    This attack targets a race condition occurring between the time of check (state) for a resource and the time of use of a resource. The typical example is the file access. The attacker can leverage a file access race condition by "running the race", meaning that he would modify the resource between the first time the target program accesses the file and the time the target program uses the file. During that period of time, the attacker could do something such as replace the file and cause an escalation of privilege.
Access
VectorComplexityAuthentication
LOCAL MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
COMPLETE COMPLETE COMPLETE
exploit-db via4
  • description pkexec - Race Condition Privilege Escalation Exploit. CVE-2011-1485. Local exploit for linux platform
    id EDB-ID:17942
    last seen 2016-02-02
    modified 2011-10-08
    published 2011-10-08
    reporter xi4oyu
    source https://www.exploit-db.com/download/17942/
    title pkexec - Race Condition Privilege Escalation Exploit
  • description PolicyKit Pwnage: linux local privilege escalation on polkit-1. CVE-2011-1485. Local exploit for linux platform
    id EDB-ID:17932
    last seen 2016-02-02
    modified 2011-10-05
    published 2011-10-05
    reporter zx2c4
    source https://www.exploit-db.com/download/17932/
    title PolicyKit polkit-1 <= 0.101 - Linux Local Privilege Escalation
  • description Linux PolicyKit Race Condition Privilege Escalation. CVE-2011-1485. Local exploit for linux platform
    id EDB-ID:35021
    last seen 2016-02-04
    modified 2014-10-20
    published 2014-10-20
    reporter metasploit
    source https://www.exploit-db.com/download/35021/
    title Linux PolicyKit - Race Condition Privilege Escalation
metasploit via4
description A race condition flaw was found in the PolicyKit pkexec utility and polkitd daemon. A local user could use this flaw to appear as a privileged user to pkexec, allowing them to execute arbitrary commands as root by running those commands with pkexec. Those vulnerable include RHEL6 prior to polkit-0.96-2.el6_0.1 and Ubuntu libpolkit-backend-1 prior to 0.96-2ubuntu1.1 (10.10) 0.96-2ubuntu0.1 (10.04 LTS) and 0.94-1ubuntu1.1 (9.10)
id MSF:EXPLOIT/LINUX/LOCAL/PKEXEC
last seen 2018-12-13
modified 2018-10-10
published 2014-10-03
reliability Great
reporter Rapid7
source https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/local/pkexec.rb
title Linux PolicyKit Race Condition Privilege Escalation
nessus via4
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2011-0455.NASL
    description Updated polkit packages that fix one security issue are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. PolicyKit is a toolkit for defining and handling authorizations. A race condition flaw was found in the PolicyKit pkexec utility and polkitd daemon. A local user could use this flaw to appear as a privileged user to pkexec, allowing them to execute arbitrary commands as root by running those commands with pkexec. (CVE-2011-1485) Red Hat would like to thank Neel Mehta of Google for reporting this issue. All polkit users should upgrade to these updated packages, which contain backported patches to correct this issue. The system must be rebooted for this update to take effect.
    last seen 2019-02-21
    modified 2018-11-26
    plugin id 53500
    published 2011-04-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=53500
    title RHEL 6 : polkit (RHSA-2011:0455)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2011-5589.NASL
    description - Bug #692922 - CVE-2011-1485 polkitd/pkexec vulnerability Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-28
    plugin id 53537
    published 2011-04-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=53537
    title Fedora 15 : polkit-0.101-5.fc15 (2011-5589)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2011-0455.NASL
    description From Red Hat Security Advisory 2011:0455 : Updated polkit packages that fix one security issue are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. PolicyKit is a toolkit for defining and handling authorizations. A race condition flaw was found in the PolicyKit pkexec utility and polkitd daemon. A local user could use this flaw to appear as a privileged user to pkexec, allowing them to execute arbitrary commands as root by running those commands with pkexec. (CVE-2011-1485) Red Hat would like to thank Neel Mehta of Google for reporting this issue. All polkit users should upgrade to these updated packages, which contain backported patches to correct this issue. The system must be rebooted for this update to take effect.
    last seen 2019-02-21
    modified 2018-08-13
    plugin id 68258
    published 2013-07-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=68258
    title Oracle Linux 6 : polkit (ELSA-2011-0455)
  • NASL family Slackware Local Security Checks
    NASL id SLACKWARE_SSA_2011-109-01.NASL
    description New polkit packages are available for Slackware 13.1 and -current to fix a security issue.
    last seen 2019-02-21
    modified 2019-01-02
    plugin id 54903
    published 2011-05-28
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=54903
    title Slackware 13.1 / current : polkit (SSA:2011-109-01)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-2319.NASL
    description Neel Mehta discovered that a race condition in Policykit, a framework for managing administrative policies and privileges, allowed local users to elevate privileges by executing a setuid program from pkexec. The oldstable distribution (lenny) does not contain the policykit-1 package.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 56414
    published 2011-10-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=56414
    title Debian DSA-2319-1 : policykit-1 - race condition
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-201204-06.NASL
    description The remote host is affected by the vulnerability described in GLSA-201204-06 (PolicyKit: Multiple vulnerabilities) Multiple vulnerabilities have been found in PolicyKit: Error messages in the pkexec utility disclose the existence of local files (CVE-2010-0750). The pkexec utility initially checks the effective user ID of its parent process for authorization, instead of checking the real user ID (CVE-2011-1485). Members of the 'wheel' group are able to execute commands as an administrator without a password (CVE-2011-4945). Impact : A local attacker could gain elevated privileges or sensitive information. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2018-07-11
    plugin id 59622
    published 2012-06-21
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=59622
    title GLSA-201204-06 : PolicyKit: Multiple vulnerabilities
  • NASL family SuSE Local Security Checks
    NASL id SUSE_11_4_LIBPOLKIT0-110427.NASL
    description A race condition exists in pkexec while trying to determine its caller which could lead to privilege escalation. CVE-2011-1485 has been assigned to this issue.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 75915
    published 2014-06-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=75915
    title openSUSE Security Update : libpolkit0 (openSUSE-SU-2011:0413-1)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-1117-1.NASL
    description Neel Mehta discovered that PolicyKit did not correctly verify the user making authorization requests. A local attacker could exploit this to trick pkexec into running applications with root privileges. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 55075
    published 2011-06-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=55075
    title Ubuntu 9.10 / 10.04 LTS / 10.10 : policykit-1 vulnerability (USN-1117-1)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_11_3_LIBPOLKIT0-110427.NASL
    description A race condition exists in pkexec while trying to determine its caller which could lead to privilege escalation. CVE-2011-1485 has been assigned to this issue.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 75605
    published 2014-06-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=75605
    title openSUSE Security Update : libpolkit0 (openSUSE-SU-2011:0412-1)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20110419_POLKIT_ON_SL6_X.NASL
    description A race condition flaw was found in the PolicyKit pkexec utility and polkitd daemon. A local user could use this flaw to appear as a privileged user to pkexec, allowing them to execute arbitrary commands as root by running those commands with pkexec. (CVE-2011-1485) The system must be rebooted for this update to take effect.
    last seen 2019-02-21
    modified 2018-12-31
    plugin id 61021
    published 2012-08-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=61021
    title Scientific Linux Security Update : polkit on SL6.x i386/x86_64
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2011-5676.NASL
    description - Tue Apr 19 2011 David Zeuthen - 0.98-5 - CVE-2011-1485 (#697951) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-28
    plugin id 53849
    published 2011-05-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=53849
    title Fedora 14 : polkit-0.98-5.fc14 (2011-5676)
  • NASL family Mandriva Local Security Checks
    NASL id MANDRIVA_MDVSA-2011-086.NASL
    description A vulnerability has been found and corrected in polkit : A race condition flaw was found in the PolicyKit pkexec utility and polkitd daemon. A local user could use this flaw to appear as a privileged user to pkexec, allowing them to execute arbitrary commands as root by running those commands with pkexec (CVE-2011-1485). The updated packages have been patched to correct this issue.
    last seen 2019-02-21
    modified 2019-01-02
    plugin id 53910
    published 2011-05-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=53910
    title Mandriva Linux Security Advisory : polkit (MDVSA-2011:086)
packetstorm via4
redhat via4
advisories
bugzilla
id 692922
title CVE-2011-1485 polkitd/pkexec vulnerability
oval
AND
  • OR
    • comment Red Hat Enterprise Linux 6 Client is installed
      oval oval:com.redhat.rhba:tst:20111656001
    • comment Red Hat Enterprise Linux 6 Server is installed
      oval oval:com.redhat.rhba:tst:20111656002
    • comment Red Hat Enterprise Linux 6 Workstation is installed
      oval oval:com.redhat.rhba:tst:20111656003
    • comment Red Hat Enterprise Linux 6 ComputeNode is installed
      oval oval:com.redhat.rhba:tst:20111656004
  • OR
    • AND
      • comment polkit is earlier than 0:0.96-2.el6_0.1
        oval oval:com.redhat.rhsa:tst:20110455005
      • comment polkit is signed with Red Hat redhatrelease2 key
        oval oval:com.redhat.rhsa:tst:20110455006
    • AND
      • comment polkit-desktop-policy is earlier than 0:0.96-2.el6_0.1
        oval oval:com.redhat.rhsa:tst:20110455011
      • comment polkit-desktop-policy is signed with Red Hat redhatrelease2 key
        oval oval:com.redhat.rhsa:tst:20110455012
    • AND
      • comment polkit-devel is earlier than 0:0.96-2.el6_0.1
        oval oval:com.redhat.rhsa:tst:20110455007
      • comment polkit-devel is signed with Red Hat redhatrelease2 key
        oval oval:com.redhat.rhsa:tst:20110455008
    • AND
      • comment polkit-docs is earlier than 0:0.96-2.el6_0.1
        oval oval:com.redhat.rhsa:tst:20110455009
      • comment polkit-docs is signed with Red Hat redhatrelease2 key
        oval oval:com.redhat.rhsa:tst:20110455010
rhsa
id RHSA-2011:0455
released 2011-04-19
severity Important
title RHSA-2011:0455: polkit security update (Important)
rpms
  • polkit-0:0.96-2.el6_0.1
  • polkit-desktop-policy-0:0.96-2.el6_0.1
  • polkit-devel-0:0.96-2.el6_0.1
  • polkit-docs-0:0.96-2.el6_0.1
refmap via4
confirm https://bugzilla.redhat.com/show_bug.cgi?id=692922
debian DSA-2319
fedora
  • FEDORA-2011-5589
  • FEDORA-2011-5676
gentoo GLSA-201204-06
mandriva MDVSA-2011:086
secunia 48817
sreason 8424
ubuntu USN-1117-1
Last major update 18-12-2012 - 23:39
Published 31-05-2011 - 16:55
Back to Top