#!/bin/bash # 27-01-2022 # Enrico Pasqualotto epasqualotto AT backloop.biz # run with --fix for auto-fix option OS_DETECTED=0 fix=0 declare -A fixedVer function vercomp () { if [[ $1 == $2 ]] then return 0 fi local IFS=. local i ver1=($1) ver2=($2) # fill empty fields in ver1 with zeros for ((i=${#ver1[@]}; i<${#ver2[@]}; i++)) do ver1[i]=0 done for ((i=0; i<${#ver1[@]}; i++)) do if [[ -z ${ver2[i]} ]] then # fill empty fields in ver2 with zeros ver2[i]=0 fi if ((10#${ver1[i]} > 10#${ver2[i]})) then return 1 fi if ((10#${ver1[i]} < 10#${ver2[i]})) then return 2 fi done return 0 } function getRedHatPkgVer() { local package_names=( "$@" ) pkgver=`rpm -qa --queryformat="%{NAME}-%{VERSION}-%{RELEASE}\n" "${package_names[@]}"` echo $pkgver } function getDebianPkgVer (){ pkgver=`dpkg -s "$1" | grep Version | cut -d ":" -f2| cut -d' ' -f2` echo $pkgver } if [ "$1" == "--help" ]; then echo "Use --fix to patch your system" exit 0 elif [ "$1" == "--fix" ]; then fix=1 echo "Run with auto-fix enabled!" sleep 2 fi #OS CHECK if [[ "$OSTYPE" != "linux-gnu"* ]]; then echo "O.S. $OSTYPE Not supported!" exit 1 fi #ubuntu if [ -f /etc/os-release ] && [ ! -f /etc/centos-release-upstream ]; then TMP_DISTRIB=`cat /etc/os-release | grep -m1 "^NAME" | cut -d "=" -f2 | sed s/\"//g` if [ "$TMP_DISTRIB" == "Ubuntu" ]; then OS_DETECTED=1 DISTRIB=`cat /etc/os-release | grep -m1 "^NAME" | cut -d "=" -f2 | sed s/\"//g` VERNAME=`cat /etc/os-release | grep -m1 "VERSION_CODENAME" | cut -d "=" -f2` VER=`cat /etc/os-release | grep -m1 "VERSION_ID" | cut -d "=" -f2 | sed s/\"//g` echo "Detected O.S. : $DISTRIB $VER $VERNAME" fi fi # debian if [ "$OS_DETECTED" == "0" ] && [ -f /etc/debian_version ]; then OS_DETECTED=1 VER=`cat /etc/debian_version` DISTRIB=Debian VERNAME=$(. /etc/os-release && echo ${VERSION_CODENAME-stretch}) echo "Detected O.S. : $DISTRIB $VER $VERNAME" fi # redhat if [ "$OS_DETECTED" == "0" ] && [ -f /etc/redhat-release ]; then OS_DETECTED=1 PARENT_DISTRIB="RedHat" DISTRIB=`cat /etc/os-release | grep -m1 "^NAME" | cut -d "=" -f2 | sed s/\"//g` VERNAME=`cat /etc/os-release | grep -m1 "PRETTY_NAME" | cut -d "=" -f2` VER=`cat /etc/os-release | grep -m1 "VERSION_ID" | cut -d "=" -f2 | sed s/\"//g` echo "Detected O.S. : $DISTRIB $VER $VERNAME" fi #CentOS based if [ "$OS_DETECTED" == "0" ] && [ -f /etc/centos-release-upstream ]; then OS_DETECTED=1 PARENT_DISTRIB="Centos" DISTRIB=`cat /etc/os-release | grep -m1 "^NAME" | cut -d "=" -f2 | sed s/\"//g` VERNAME=`cat /etc/os-release | grep -m1 "PRETTY_NAME" | cut -d "=" -f2` VER=`cat /etc/os-release | grep -m1 "VERSION_ID" | cut -d "=" -f2 | sed s/\"//g` echo "Detected O.S. : $DISTRIB $VER $VERNAME" fi if [ "$OS_DETECTED" == "0" ]; then echo "O.S. not supported!" exit 1 fi #cat /etc/os-release | grep -m1 "NAME" | cut -d "=" -f2 | sed s/\"//g if [ "$DISTRIB" == "Ubuntu" ]; then fixedVer["1404"]="0.105-4ubuntu3.14.04.6" fixedVer["1604"]="0.105-14.1ubuntu0.5" fixedVer["1804"]="0.105-20ubuntu0.18.04.6" fixedVer["2004"]="0.105-26ubuntu1.2" fixedVer["2110"]="0.105-31ubuntu0.1" isinstalled=`dpkg -l | grep policykit | wc -l` if [ "$isinstalled" == "0" ]; then echo "No package found on your system. You are not vulnerable!" exit 0 fi curver=`getDebianPkgVer "policykit-1"` #echo $curver #echo ${fixedVer[`echo $VER| sed 's/\.//'`]} if [ "${fixedVer[`echo $VER| sed 's/\.//'`]}" == "" ]; then echo "No patch available for your distribution/version" echo "Try mitigate with command: chmod 0755 /usr/bin/pkexec" exit 1 fi if [ "$curver" == "${fixedVer[`echo $VER| sed 's/\.//'`]}" ]; then res='same' vuln=0 else dpkg --compare-versions $curver lt ${fixedVer[`echo $VER| sed 's/\.//'`]} cmpres=$? case $cmpres in 0) res='lower' vuln=1 ;; 1) res='greater' vuln=0 ;; esac fi echo "My version ($curver) is $res than version (${fixedVer[`echo $VER| sed 's/\.//'`]}) with the patch" if [ "$vuln" == "0" ]; then echo "System not vulnerable" else echo "System vulnerable!" if [ "$fix" == "1" ]; then isroot=`id -u` if [ "$isroot" != "0" ]; then echo "Auto-fix option need root privildge. Please run with sudo or as root" exit 1 fi apt-get update apt-get -y install policykit-1 newver=`getDebianPkgVer "policykit-1"` if [ "$curver" != "$newver" ]; then echo "Upgrade done" dpkg --compare-versions $newver lt ${fixedVer[`echo $VER| sed 's/\.//'`]} cmpres=$? case $cmpres in 0) res='lower' vuln=1 ;; 1) res='greater' vuln=0 ;; esac echo "My version ($newver) is $res than version (${fixedVer[`echo $VER| sed 's/\.//'`]}) with the patch" echo "System no more vulnerable!" else echo "Attempt to install new version of pkg failed!" fi fi fi elif [ "$DISTRIB" == "Debian" ]; then fixedVer["stretch"]="0.105-18+deb9u2" fixedVer["buster"]="0.105-25+deb10u1" fixedVer["bulleye"]="0.105-31+deb11u1" fixedVer["sid"]="0.105-31.1" isinstalled=`dpkg -l | grep policykit | wc -l` if [ "$isinstalled" == "0" ]; then echo "No package found on your system. You are not vulnerable!" exit 0 fi curver=`getDebianPkgVer "policykit-1"` #echo $curver #echo ${fixedVer[$VERNAME]} if [ "${fixedVer[`echo $VERNAME| sed 's/\.//'`]}" == "" ]; then echo "No patch available for your distribution/version" echo "Try mitigate with command: chmod 0755 /usr/bin/pkexec" exit 1 fi if [ "$curver" == "${fixedVer[$VERNAME]}" ]; then res='same' vuln=0 else dpkg --compare-versions $curver lt ${fixedVer[`echo $VERNAME| sed 's/\.//'`]} cmpres=$? case $cmpres in 0) res='lower' vuln=1 ;; 1) res='greater' vuln=0 ;; esac fi echo "My version ($curver) is $res than version (${fixedVer[`echo $VERNAME| sed 's/\.//'`]}) with the patch" if [ "$vuln" == "0" ]; then echo "System not vulnerable" else echo "System vulnerable!" if [ "$fix" == "1" ]; then isroot=`id -u` if [ "$isroot" != "0" ]; then echo "Auto-fix option need root privildge. Please run with sudo or as root" exit 1 fi apt-get update apt-get -y install policykit-1 newver=`getDebianPkgVer "policykit-1"` if [ "$curver" != "$newver" ]; then echo "Upgrade done" dpkg --compare-versions $newver lt ${fixedVer[`echo $VERNAME| sed 's/\.//'`]} cmpres=$? case $cmpres in 0) res='lower' vuln=1 ;; 1) res='greater' vuln=0 ;; esac echo "My version ($newver) is $res than version (${fixedVer[`echo $VERNAME| sed 's/\.//'`]}) with the patch" echo "System no more vulnerable!" else echo "Attempt to install new version of pkg failed!" fi fi fi elif [ "$PARENT_DISTRIB" == "Centos" ] || [ "$PARENT_DISTRIB" == "RedHat" ]; then vulnerable_versions=( 'polkit-0.112-5.ael7b' 'polkit-0.112-13.p1.el7a' 'polkit-0.96-2.el6' 'polkit-0.96-2.el6_0.1' 'polkit-0.96-5.el6_4' 'polkit-0.96-7.el6' 'polkit-0.96-7.el6_6.1' 'polkit-0.96-11.el6' 'polkit-0.96-11.el6_10.1' 'polkit-0.112-1.el7' 'polkit-0.112-5.el7' 'polkit-0.112-6.el7_2' 'polkit-0.112-7.el7_2.2' 'polkit-0.112-7.el7_2.3' 'polkit-0.112-7.el7_2' 'polkit-0.112-9.el7' 'polkit-0.112-11.el7_3' 'polkit-0.112-12.el7_3' 'polkit-0.112-12.el7_4.1' 'polkit-0.112-14.el7' 'polkit-0.112-14.el7_5.1' 'polkit-0.112-17.el7' 'polkit-0.112-18.el7' 'polkit-0.112-18.el7_6.1' 'polkit-0.112-18.el7_6.2' 'polkit-0.112-22.el7' 'polkit-0.112-22.el7_7.1' 'polkit-0.112-26.el7' 'polkit-0.115-6.el8' 'polkit-0.115-9.el8' 'polkit-0.115-9.el8_1.1' 'polkit-0.115-11.el8' 'polkit-0.115-11.el8_2.1' 'polkit-0.115-11.el8_3.2' 'polkit-0.115-11.el8_4.1' 'polkit-0.115-12.el8' ) curver=`getRedHatPkgVer "polkit"` echo "Your polkit version is: $curver" vuln=0 for test_package in "${vulnerable_versions[@]}"; do if [ "$test_package" == "$curver" ]; then vuln=1 fi done if [ "$vuln" == "0" ]; then echo "System not vulnerable" else echo "System vulnerable!" if [ "$fix" == "1" ]; then isroot=`id -u` if [ "$isroot" != "0" ]; then echo "Auto-fix option need root privildge. Please run with sudo or as root" exit 1 fi yum install -y polkit newver=`getRedHatPkgVer "polkit"` if [ "$curver" != "$newver" ]; then echo "Upgrade done" echo "System no more vulnerable!" else echo "Attempt to install new version of pkg failed!" fi fi fi else echo "Fix and check not available for your distribution!" echo "Try mitigate with command: chmod 0755 /usr/bin/pkexec" echo $PARENT_DISTRIB exit 1 fi