PwnKit: Local Privilege Escalation bug affects major Linux distros

A flaw in Polkit’s pkexec component, tracked as CVE-2021-4034 (PwnKit) can be exploited to gain full root privileges on major Linux distros.

An attacker can exploit a vulnerability in Polkit’s pkexec component, tracked as CVE-2021-4034, that affects all major Linux distributions to gain full root privileges on the system. The good news is that this issue is not remotely exploitable, but if an attacker can log in as any unprivileged user, it can allow to gain root privileges.

The flaw, dubbed PwnKit, was introduced more than 12 years ago (May 2009) since the initial commit of pkexec, this means that all the versions are affected.

Polkit (formerly PolicyKit) is a component used to controll system-wide privileges in Unix-like OS. It allows non-privileged processes to communicate with privileged processes. polkit also allow to execute commands with elevated privileges using the command pkexec followed by the command intended to be executed (with root permission).

Researchers from Qualys Research Team have discovered a memory corruption vulnerability in SUID-root program polkit.

“The Qualys Research Team has discovered a memory corruption vulnerability in polkit’s pkexec, a SUID-root program that is installed by default on every major Linux distribution.” reads the post published by Qualys.”Successful exploitation of this vulnerability allows any unprivileged user to gain root privileges on the vulnerable host. Qualys security researchers have been able to independently verify the vulnerability, develop an exploit, and obtain full root privileges on default installations of Ubuntu, Debian, Fedora, and CentOS. Other Linux distributions are likely vulnerable and probably exploitable.”

“This vulnerability is an attacker’s dream come true” explained Qualys:

pkexec is installed by default on all major Linux distributions (we exploited Ubuntu, Debian, Fedora, CentOS, and other distributions are probably also exploitable);
pkexec is vulnerable since its creation, in May 2009 (commit c8c3d83, “Add a pkexec(1) command”);
any unprivileged local user can exploit this vulnerability to obtain full root privileges;
although this vulnerability is technically a memory corruption, it is exploitable instantly, reliably, in an architecture-independent way;
and it is exploitable even if the polkit daemon itself is not running.

Experts pointed out that it is very easy to exploit the flaw, while Qualys doesn’t plan to release a PoC for this issue other experts are already working on releasing it.

Bleeping Computer reported that a working exploit was publicly released less than three hours after Qualys published the technical details for PwnKit. BleepingComputer has compiled and tested the available exploit, which proved to be reliable as it gave us root privileges on the system on all attempts.

Below is the vulnerability disclosure timeline:

2021-11-18: Advisory sent to secalert@redhat.
2022-01-11: Advisory and patch sent to distros@openwall.
2022-01-25: Coordinated Release Date (5:00 PM UTC).

Qualys provided instructions to its customers on how to detect PwnKit in their environment.

If no patches are available for your operating system, experts recommend to remove the SUID-bit from pkexec as a temporary mitigation; for example:

# chmod 0755 /usr/bin/pkexec

Administrators should apply the patches that Polkit’s authors has already released on their GitLab.

Major Linux distros are expected to release updated pkexec packages as soon as possible, some of them have already done it at the time of this writing.

In order to check for evidence of exploitation, users have to inspect the logs searching for either “The value for the SHELL variable was not found the /etc/shells file” or “The value for environment variable […] contains suspicious content.” entries in the logs.Yes, this exploitation technique leaves traces in the logs (either “The value for the SHELL variable was not found the /etc/shells file” or “The value for environment variable […] contains suspicious content”). However, please note that this vulnerability is also exploitable without leaving any traces in the logs.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, PwnKit)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.