9
CVSSv2

CVE-2018-19788

Published: 03/12/2018 Updated: 05/02/2019
CVSS v2 Base Score: 9 | Impact Score: 10 | Exploitability Score: 8
CVSS v3 Base Score: 8.8 | Impact Score: 5.9 | Exploitability Score: 2.8
VMScore: 873
Vector: AV:N/AC:L/Au:S/C:C/I:C/A:C

Vulnerability Summary

A flaw was found in PolicyKit (aka polkit) 0.115 that allows a user with a uid greater than INT_MAX to successfully execute any systemctl command.

Vulnerability Trend

Affected Products

Vendor Product Versions
Polkit ProjectPolkit0.115
CanonicalUbuntu Linux12.04, 14.04, 16.04, 18.04, 18.10
DebianDebian Linux8.0, 9.0

Vendor Advisories

PolicyKit could allow unintended access ...
PolicyKit could allow unintended access ...
It was discovered that incorrect processing of very high UIDs in Policykit, a framework for managing administrative policies and privileges, could result in authentication bypass For the stable distribution (stretch), this problem has been fixed in version 0105-18+deb9u1 We recommend that you upgrade your policykit-1 packages For the detailed s ...
A flaw was found in PolicyKit (aka polkit) 0115 that allows a user with a uid greater than INT_MAX to successfully execute any systemctl command ...
Arch Linux Security Advisory ASA-201901-2 ========================================= Severity: High Date : 2019-01-08 CVE-ID : CVE-2018-19788 Package : polkit Type : privilege escalation Remote : No Link : securityarchlinuxorg/AVG-828 Summary ======= The package polkit before version 0115+24+g5230646-1 is vulnerable to privi ...
A security issue has been found in polkit <= 0115, where an unprivileged user with a UID > INT_MAX can successfully execute any systemctl command ...
Oracle Solaris Third Party Bulletin - January 2019 Description The Oracle Solaris Third Party Bulletin announces patches for one or more security vulnerabilities fixed in third party software that is included in Oracle Solaris distributions Starting January 20, 2015, Third Party Bulletins are released on the same day when Oracle Criti ...
AT&T has released version 1801-v for the Vyatta 5600 Details of this release can be found at cloudibmcom/docs/infrastructure/virtual-router-appliance?topic=virtual-router-appliance-at-t-vyatta-5600-vrouter-software-patches#at-t-vyatta-5600-vrouter-software-patches ...

Mailing Lists

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4350-1 security () debian org wwwdebianorg/security/ Moritz Muehlenhoff December 06, 2018 wwwdebianorg/security/faq ...

Github Repositories

CVE-2018-19788 Silly easy exploit for CVE-2018-19788 To use this, you must either create a user with UID > INT_MAX in Policy Kit or already have a low-priv user with said UID UID can be specified in user creation as follows, and used before execution of the script: $ useradd -u 4000000001 PrivEsc $ passwd PrivEsc $ su PrivEsc $ chmod +x /tmp/CVE-2018-19788_PrivEscsh $

Proof of Concept for the CVE-2018-19788 Ansible role to check the vulnerability tracked as CVE-2018-19788 that impacts PolicyKit version 0115 which comes pre-installed on a wide range of Linux distributions such as Ubuntu, Red Hat, CentOs, to mention a few Requirements Minimum required ansible version 240 Role Variables # The user name to be provisioned to execute the explo

CVE-2018-19788 Exploiting The CVE-2018-19788 PolicyKit Bug Steps to exploit PolicyKit bug on a fully patched CentOS7 installation [root@centos7 ~]# groupadd -g 4000000000 cve201819788 [root@centos7 ~]# useradd -m -c "User With High UID" -u 4000000000 -g 4000000000 -s /bin/bash cve201819788 [root@centos7 ~]# id cve201819788 uid=4000000000(cve201819788) gid=4000000000(

Leveraging CVE-2018-19788 to dump protected files without root shell CVE-2018-19788 is an issue where any user with a UID over INT_MAX (IE 4000000000) can run any systemctl command on a systemd linux box, such as Ubuntu (There is already a writeup to gain a root shell found: here) The main difference between this writeup and the full root shell writeup is that this will be ru

OverTheWire Advent Bonanza 2018 Writeup Enclosed is my writeup for the 2018 OTW Advent CTF (advent2018overthewireorg) The challenges were tough, but a lot of fun It seemed like the organizers created each challenge so that it had at least two pieces that needed to be solved before getting the flag I liked this approach although sometimes it was frustrating when I&#

Security Research A collection of files related to my personal security research Additional content will be posted on my blog blogmirchio Exploits CVE-2019-6724 - Barracuda VPN Client Privilege Escalation on Linux and macOS PoC: CVE-2019-6724 Detailed write-up: CVE-2019-6724: Barracuda VPN Client Privilege Escalation on Linux and macOS Barracuda VPN Client Rele

CVE-MyLife CVE in My Life! A little adventure in the world! List CVE: CVE-2016-2098: Action Pack in Ruby on Rails before 32222, 4x before 41142, and 42x before 4252 allows remote attackers to execute arbitrary Ruby code by leveraging an application's unrestricted use of the render method CVE-2016-3345: The SMBv1 server in Microsoft Windows Vista SP2, Windows

Awesome CVE PoC A curated list of CVE PoCs Here is a collection about Proof of Concepts of Common Vulnerabilities and Exposures, and you may also want to check out awesome-web-security Please read the contribution guidelines before contributing This repo is full of PoCs for CVEs If you enjoy this awesome list and would like to support it, check out my Patreon page :