Pardus Linux Vulnerability Allows Root Access

A significant security vulnerability affecting Pardus Linux has emerged, enabling local users to obtain root privileges without any authentication.

Details of the Vulnerability

This vulnerability, which has been assigned a CVSS v3.1 score of 9.3, affects the pardus-update package. This package is integral to the system updates of the Debian-based distribution managed by TÜBİTAK.

Pardus Linux is extensively used in Turkish government institutions, educational settings, and enterprise environments, highlighting the critical nature of this flaw in shared and multi-user systems.

Components Leading to the Flaw

Researcher Çağrı Eser, known as 0xc4gr1, discovered that the vulnerability arises from a combination of three distinct weaknesses rather than a single bug. These include a misconfiguration in PolicyKit (Polkit), a carriage return-line feed (CRLF) injection flaw, and a vulnerability involving untrusted file paths.

The initial issue is rooted in Polkit’s policy settings, where critical update actions were mistakenly configured to allow any user to execute privileged operations without authentication. This allows passwordless root execution of backend scripts via pkexec.

Exploitation and Impact

The second flaw is in the SystemSettingsWrite.py script, which writes user-controlled input to configuration files. Although newline characters are filtered, carriage return characters are not, permitting attackers to inject arbitrary entries into configuration files.

The final issue involves AutoAptUpgrade.py, which indiscriminately processes manipulated configurations, copying attacker-supplied APT source files without validation. This can lead to the introduction of a malicious repository and the execution of rogue packages as root.

An attacker can exploit these vulnerabilities by creating a malicious APT repository with a .deb package that sets the SUID bit on /bin/bash, granting instant root access.

Mitigation Strategies

To address this security issue, administrators are urged to implement several key fixes. First, Polkit policies should be updated to require administrator authentication. Second, SystemSettingsWrite.py should be adjusted to sanitize all inputs, removing carriage returns and newlines. Third, AutoAptUpgrade.py should be restricted to trusted directories, preventing the use of world-writable locations.

According to a report by nullsecurityx, this vulnerability chain exemplifies how minor misconfigurations can escalate into severe security breaches. Organizations using Pardus Linux should apply these fixes promptly to avert potential exploitation.

Stay updated on security news by following us on Google News, LinkedIn, and X.