An attacker can exploit a vulnerability in Polkit’s pkexec component, tracked as CVE-2021-4034, that affects all major Linux distributions to gain full root privileges on the system. The good news is that this issue is not remotely exploitable, but if an attacker can log in as any unprivileged user, it can allow to gain root privileges.
The flaw, dubbed PwnKit, was introduced more than 12 years ago (May 2009) since the initial commit of pkexec, this means that all the versions are affected.
Polkit (formerly PolicyKit) is a component used to controll system-wide privileges in Unix-like OS. It allows non-privileged processes to communicate with privileged processes. polkit also allow to execute commands with elevated privileges using the command pkexec followed by the command intended to be executed (with root permission).
Researchers from Qualys Research Team have discovered a memory corruption vulnerability in SUID-root program polkit.
“The Qualys Research Team has discovered a memory corruption vulnerability in polkit’s pkexec, a SUID-root program that is installed by default on every major Linux distribution.” reads the post published by Qualys.”Successful exploitation of this vulnerability allows any unprivileged user to gain root privileges on the vulnerable host. Qualys security researchers have been able to independently verify the vulnerability, develop an exploit, and obtain full root privileges on default installations of Ubuntu, Debian, Fedora, and CentOS. Other Linux distributions are likely vulnerable and probably exploitable.”
“This vulnerability is an attacker’s dream come true” explained Qualys:
Experts pointed out that it is very easy to exploit the flaw, while Qualys doesn’t plan to release a PoC for this issue other experts are already working on releasing it.
Bleeping Computer reported that a working exploit was publicly released less than three hours after Qualys published the technical details for PwnKit. BleepingComputer has compiled and tested the available exploit, which proved to be reliable as it gave us root privileges on the system on all attempts.
Below is the vulnerability disclosure timeline:
Qualys provided instructions to its customers on how to detect PwnKit in their environment.
If no patches are available for your operating system, experts recommend to remove the SUID-bit from pkexec as a temporary mitigation; for example:
# chmod 0755 /usr/bin/pkexec
Administrators should apply the patches that Polkit’s authors has already released on their GitLab.
Major Linux distros are expected to release updated pkexec packages as soon as possible, some of them have already done it at the time of this writing.
In order to check for evidence of exploitation, users have to inspect the logs searching for either “The value for the SHELL variable was not found the /etc/shells file” or “The value for environment variable […] contains suspicious content.” entries in the logs.Yes, this exploitation technique leaves traces in the logs (either “The value for the SHELL variable was not found the /etc/shells file” or “The value for environment variable […] contains suspicious content”). However, please note that this vulnerability is also exploitable without leaving any traces in the logs.
Follow me on Twitter: @securityaffairs and Facebook
[adrotate banner=”9″] | [adrotate banner=”12″] |
(SecurityAffairs – hacking, PwnKit)
[adrotate banner=”5″]
[adrotate banner=”13″]
China-linked threat actors are preparing cyber attacks against U.S. critical infrastructure warned FBI Director Christopher…
The United Nations Development Programme (UNDP) has initiated an investigation into an alleged ransomware attack…
BlackBerry reported that the financially motivated group FIN7 targeted the IT department of a large…
An international law enforcement operation led to the disruption of the prominent phishing-as-a-service platform LabHost.…
Russia-linked APT Sandworm employed a previously undocumented backdoor called Kapeka in attacks against Eastern Europe since…
Cisco has addressed a high-severity vulnerability in its Integrated Management Controller (IMC) for which publicly…
This website uses cookies.