PwnKit: Local Privilege Escalation bug affects major Linux distros

A flaw in Polkit’s pkexec component, tracked as CVE-2021-4034 (PwnKit) can be exploited to gain full root privileges on major Linux distros.

An attacker can exploit a vulnerability in Polkit’s pkexec component, tracked as CVE-2021-4034, that affects all major Linux distributions to gain full root privileges on the system. The good news is that this issue is not remotely exploitable, but if an attacker can log in as any unprivileged user, it can allow to gain root privileges.

The flaw, dubbed PwnKit, was introduced more than 12 years ago (May 2009) since the initial commit of pkexec, this means that all the versions are affected.

Polkit (formerly PolicyKit) is a component used to controll system-wide privileges in Unix-like OS. It allows non-privileged processes to communicate with privileged processes. polkit also allow to execute commands with elevated privileges using the command pkexec followed by the command intended to be executed (with root permission).

Researchers from Qualys Research Team have discovered a memory corruption vulnerability in SUID-root program polkit.

“The Qualys Research Team has discovered a memory corruption vulnerability in polkit’s pkexec, a SUID-root program that is installed by default on every major Linux distribution.” reads the post published by Qualys.”Successful exploitation of this vulnerability allows any unprivileged user to gain root privileges on the vulnerable host. Qualys security researchers have been able to independently verify the vulnerability, develop an exploit, and obtain full root privileges on default installations of Ubuntu, Debian, Fedora, and CentOS. Other Linux distributions are likely vulnerable and probably exploitable.”

“This vulnerability is an attacker’s dream come true” explained Qualys:

• pkexec is installed by default on all major Linux distributions (we exploited Ubuntu, Debian, Fedora, CentOS, and other distributions are probably also exploitable);
• pkexec is vulnerable since its creation, in May 2009 (commit c8c3d83, “Add a pkexec(1) command”);
• any unprivileged local user can exploit this vulnerability to obtain full root privileges;
• although this vulnerability is technically a memory corruption, it is exploitable instantly, reliably, in an architecture-independent way;
• and it is exploitable even if the polkit daemon itself is not running.

Experts pointed out that it is very easy to exploit the flaw, while Qualys doesn’t plan to release a PoC for this issue other experts are already working on releasing it.

Bleeping Computer reported that a working exploit was publicly released less than three hours after Qualys published the technical details for PwnKit. BleepingComputer has compiled and tested the available exploit, which proved to be reliable as it gave us root privileges on the system on all attempts.

Below is the vulnerability disclosure timeline:

• 2021-11-18: Advisory sent to secalert@redhat.
• 2022-01-11: Advisory and patch sent to distros@openwall.
• 2022-01-25: Coordinated Release Date (5:00 PM UTC).

Qualys provided instructions to its customers on how to detect PwnKit in their environment.

If no patches are available for your operating system, experts recommend to remove the SUID-bit from pkexec as a temporary mitigation; for example:

# chmod 0755 /usr/bin/pkexec

Administrators should apply the patches that Polkit’s authors has already released on their GitLab.

Major Linux distros are expected to release updated pkexec packages as soon as possible, some of them have already done it at the time of this writing.

In order to check for evidence of exploitation, users have to inspect the logs searching for either “The value for the SHELL variable was not found the /etc/shells file” or “The value for environment variable […] contains suspicious content.” entries in the logs.Yes, this exploitation technique leaves traces in the logs (either “The value for the SHELL variable was not found the /etc/shells file” or “The value for environment variable […] contains suspicious content”). However, please note that this vulnerability is also exploitable without leaving any traces in the logs.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, PwnKit)

[adrotate banner=”5″]

[adrotate banner=”13″]