PackageKit TOCTOU Race Condition Vulnerability Allows Local Privilege Escalation

A time-of-check time-of-use (TOCTOU) race condition vulnerability has been identified in PackageKit, a D-Bus abstraction layer for package management, affecting versions 1.0.2 through 1.3.4. This vulnerability allows unprivileged users to install RPM packages as root, including executing RPM scriptlets, without authentication. The issue arises from an unconditional overwrite of transaction flags, which corrupts the transaction state and bypasses authorization checks. As a result, an unprivileged user can exploit this vulnerability to gain root access on the system.

Impact

Exploitation of this vulnerability leads to unauthorized installation of packages as root, allowing for local privilege escalation. The installed packages can include malicious scripts that execute with root privileges.

Reproduction

The vulnerability can be reproduced by using the 'pkcon install' command to install a package without requiring a password. This behavior indicates that the PackageKit daemon is active and potentially exploitable. Once the vulnerability is exploited, the PackageKit daemon crashes, leaving a trace in the system logs as an indicator of compromise.

Remediation

Users should update to PackageKit version 1.3.5 or later. Instructions for updating PackageKit can be found in the official documentation for the respective Linux distribution.