View Issue Details

Jump to NotesJump to History
IDProjectCategoryView StatusDate SubmittedLast Update
0009350Kali LinuxKali Package Bugpublic2025-10-11 11:092025-10-11 21:42
ReporterAbodavidjr Assigned To 
PrioritynormalSeverityminorReproducibilityhave not tried
Status newResolutionopen 
Summary0009350: Critical Authentication Bypass in Kali Linux PolicyKit - Unauthorized Root File Access
Description

Critical Authentication Bypass in Kali Linux PolicyKit

System Information

  • OS: Kali GNU/Linux Rolling 2025.3
  • Kernel: 6.16.8+kali-amd64
  • Architecture: x86_64
  • Discovery Date: October 11, 2025

Vulnerability Summary

A critical security bypass vulnerability exists in Kali Linux's PolicyKit authentication mechanism that allows unprivileged users to access sensitive system files without proper authentication by repeatedly pressing the Cancel button in authentication dialogs.

Steps to Reproduce

  1. Open File Manager as regular user
  2. Navigate to any protected system file (e.g., /etc/passwd)
  3. When authentication dialog appears, press Cancel 2-3 times
  4. System grants full read access without authentication
  5. Subsequent file accesses require no password prompts

Proof of Compromise - Files Successfully Accessed

Network Configuration:

  • /etc/hosts - System DNS controls
  • /etc/hosts.allow - IP allow list
  • /etc/hosts.deny - IP deny list
  • /etc/network/interfaces - Network settings
  • /etc/resolv.conf - DNS resolver config

System Security Files:

  • /etc/passwd - User account information
  • /etc/group - Group membership data
  • /etc/ssh/ssh_config.d/20-systemd-ssh-proxy.conf - SSH configuration

System Configuration:

  • /etc/hostname - System hostname
  • /etc/apt/sources.list - Software repositories
  • /etc/apt/apt.conf.d/50command-not-found - APT configuration

Kernel and Log Files:

  • /boot/config-6.16.8+kali-amd64 - Kernel configuration
  • /proc/version - Kernel version info
  • /var/log/dpkg.log - Package installation history
  • /var/log/alternatives.log - System changes log

Impact Assessment

Risk Level: CRITICAL

  • Information Disclosure: Unauthorized access to system configuration
  • Network Mapping: Exposure of network security settings
  • Privilege Escalation Preparation: Gathering system intelligence
  • Persistent Access: No re-authentication required after initial bypass

Technical Details

  • Vulnerability Type: Authentication Bypass
  • Attack Vector: Local access + user interaction (Cancel button)
  • Reproducibility: 100% reproducible
  • Persistence: Access remains after initial bypass

Additional Notes

  • Bug affects multiple applications (File Manager, Chromium, etc.)
  • /etc/shadow remains protected (cannot be accessed via this method)
  • Vulnerability persists across file manager sessions

Recommended Actions

  1. Immediate Policy Kit patch deployment
  2. Security audit of authentication mechanisms
  3. User awareness about temporary workarounds
Attached Files
buge-kali3.JPG (34,454 bytes)   
buge-kali3.JPG (34,454 bytes)   
bug-kali1.JPG (70,039 bytes)   
bug-kali1.JPG (70,039 bytes)   
bug-kali2..JPG (25,162 bytes)   
bug-kali2..JPG (25,162 bytes)   

Activities

kali-bugreport

kali-bugreport

2025-10-11 21:42

reporter   ~0020882

Maybe you are not aware but all of the mentioned files are ready only for any user on a Linux system on most/every Linux system independent if Kali. They just don't contain any sensitive information.

The only mentioned sensitive file is the following:

/etc/ shadow remains protected (cannot be accessed via this method)

which is not accessible and which proofs that there is no auth bypass involved at all.

Issue History

Date Modified Username Field Change
2025-10-11 11:09 Abodavidjr New Issue
2025-10-11 11:09 Abodavidjr File Added: buge-kali3.JPG
2025-10-11 11:09 Abodavidjr File Added: bug-kali1.JPG
2025-10-11 11:09 Abodavidjr File Added: bug-kali2..JPG
2025-10-11 21:42 kali-bugreport Note Added: 0020882