Privilege escalation with polkit: How to get root on Linux with a seven-year-old bug (GitHub blog)

On the GitHub blog, Kevin Backhouse writesabout a privilege escalation vulnerability in polkit, which"enables an unprivileged local user to get a root shell on thesystem" CVE-2021-3560"is triggered by starting a dbus-send command but killing it whilepolkit is still in the middle of processing the request. [...] Why doeskilling the dbus-send command cause an authentication bypass? Thevulnerability is in step four of the sequence of events listed above. Whathappens if polkit asks dbus-daemon for the UID of connection :1.96, butconnection :1.96 no longer exists? dbus-daemon handles that situationcorrectly and returns an error. But it turns out that polkit does nothandle that error correctly. In fact, polkit mishandles the error in aparticularly unfortunate way: rather than rejecting the request, it treatsthe request as though it came from a process with UID 0. In other words, itimmediately authorizes the request because it thinks the request has comefrom a root process."