Agent Authentication Question
Miloslav Trmač
mitr at redhat.com
Wed Jun 3 12:40:27 PDT 2015
Hello,
Apologies for the late response, I was on PTO.
> On Fri, May 29, 2015, at 02:00 PM, Tavis Ormandy wrote:
> > Hello, I've been browsing the reference code and have a question about
> > how the session cookies are maintained. It looks like the cookie
> > generator can wrap and two identical cookies could exist
> > simultaneously in the active sessions list.
<snip>
> = The duplicate cookie scenario =
>
> So what happens if the current cookie wraps, and we end up with
> multiple, where we have one AuthenticationSession for Alice,
> and one AuthenticationSession for Mallory?
>
> I think here if Mallory happens to be first in the hash table
> order, could cause Alice's AuthenticationResponses to
> fail.
>
> This would then be a local, authenticated denial of service
> against other users.
Isn’t this a privilege escalation actually?
Mallory creates creates auth_admin* sessions for all possible cookie values, and waits for Alice to (or social-engineers Alice to) create a new auth_admin session for an unrelated purpose and to authenticate as the admin. Then, depending on the hash order in get_authentication_session_for_cooke, Alice’s authentication may in fact apply to one of Mallory’s sessions. Sure, one effect would be that Alice’s polkit authentication session is not authenticated and her authorization request fails, but the more important effect is that Mallory’s authorization request succeds as properly authenticated by $admin.
Mirek
More information about the polkit-devel
mailing list