Application Security , Incident & Breach Response , Next-Generation Technologies & Secure Development

Flaw in Polkit's pkexec Puts Linux Users at Risk

Pwnkit Vulnerability Allows Unprivileged Users Full Root Privileges
Flaw in Polkit's pkexec Puts Linux Users at Risk

A memory corruption vulnerability has been uncovered in Polkit’s pkexec, a SUID-root program that is installed by default on every major Linux distribution.

See Also: Splunk Named a 10-Time Leader in Gartner® Magic Quadrant™ for SIEM

The vulnerability, dubbed Pwnkit and tracked as CVE-2021-4034, can be exploited in its default configuration to allow any unprivileged user to gain full root privileges on a vulnerable host, according to a report by the Qualys research team.

The researchers recommend users apply patches for this vulnerability immediately. Bharat Jogi, director of vulnerability and threat research at Qualys, tells Information Security Media Group, "If no patches are available for your operating system, you can remove the SUID-bit from pkexec as a temporary mitigation; for example: # chmod 0755 /usr/bin/pkexec."

Polkit, formerly known as PolicyKit, is a component for controlling systemwide privileges in Unix-like operating systems. It provides an organized way for nonprivileged processes to communicate with privileged processes.

Using Polkit enables a user to execute commands with elevated privileges using the command pkexec followed by the command intended to be executed - with root permission.

Backbone of Critical Software

A part of Polkit, pkexec is a piece of software distributed as the backbone of critical software that runs phones, servers that power the internet, the cloud, enterprises, the Linux kernel and its operating system.

Travis Biehn, principal security consultant at Synopsys Software Integrity Group, says pkexec is packaged as distributions that typically combine the mission control, kernel, userland, the stuff that makes the computer do useful things, and a package manager that updates and installs the versions into a package "that provides end-user delight."

"Android is a constellation of distributions that usually runs on phones, Ubuntu, on some desktops and servers, etc. Operating systems are supposed to provide users with privileges, and the vulnerability in pkexec gets you from a little to a lot. The vulnerability itself is interesting in that a single weakness in pkexec is combined with systemic weaknesses that are themselves a result of decades of brilliant decisions smashed together in unexpected contexts without thinking about or identifying the consequences," Biehn says.

Vulnerability Uncovered

According to Jogi, the Qualys security researchers independently verified the vulnerability, developed an exploit and obtained full root privileges on default installations of Ubuntu, Debian, Fedora and CentOS.

The researchers warn that other Linux distributions are likely vulnerable and probably exploitable too, saying: "This vulnerability has been hiding in plain sight for 12-plus years and affects all versions of pkexec since its first version in May 2009 (commit c8c3d83, 'Add a pkexec(1) command')."

Jogi tells ISMG that the flaw is an attacker's dream come true, as pkexec is installed by default on all major Linux distributions and has been vulnerable since its creation in May 2009.

"Although this vulnerability is technically a memory corruption, it is exploitable instantly, reliably, in an architecture-independent way, and it is exploitable even if the Polkit daemon itself is not running," Jogi says. "Other Linux distributions are likely vulnerable and probably exploitable. If an attacker can log in as any unprivileged user, the vulnerability can be quickly exploited to gain root privileges."

Once the vulnerability was confirmed, Jogi says, the company's research team engaged in a responsible vulnerability disclosure and coordinated with both vendor and open-source distributions to announce the flaw.

"CVE-2021-4034 is notable in that it is easy to carry out, even for novices, as there are already several public functional and stable exploits floating around for anyone to use," Biehn says. He recommends patching your systems, looking for indicators of compromise and taking "a moment to reflect on your ability to do both things without disruption."

Technical Analysis

"This exploitation technique leaves traces in the logs - either 'The value for the SHELL variable was not found the /etc/shells file' or 'The value for environment variable […] contains suspicious content' but ... [it] is also exploitable without leaving any traces in the logs," Jogi says.

According to Jogi, the beginning of pkexec’s main() function processes the command-line arguments and searches for the program to be executed, if its path is not absolute, in the directories of the PATH environment variable. But he says that if the number of command-line arguments argc is 0 - which means if the argument list argv that is passed to execve() is empty, i.e., {NULL} - then argv[0] is NULL.

"If our PATH environment variable is 'PATH=name' and if the directory 'name' exists in the current working directory and contains an executable file named 'value.' then a pointer to the string 'name/value' is written out-of-bounds to envp[0]. Or, if our PATH is 'PATH=name=.' and if the directory 'name=.' exists and contains an executable file named 'value', then a pointer to the string 'name=./value' is written out-of-bounds to envp[0]."

Jogi says this out-of-bounds write allows an adversary to reintroduce an "unsecure" environment variable into pkexec’s environment, which is normally removed from the environment of SUID programs before the main() function is called.

Tim Mackey, principal security strategist at the Synopsys Cybersecurity Research Center, says a local privilege escalation vulnerability is valuable when an attacker gains access to a Linux system but with limited access rights. "CVE-2021-4034 then could be used to gain additional rights within that system, allowing them to escalate their attack. As such, operators of Linux systems should immediately patch their systems, particularly if there is a way for users to access a command console," he says.

"Although local privilege escalation vulnerabilities require access to the vulnerable system, do not discount this vulnerability. When paired with any simple RCE vulnerability, this becomes a part of a critical attack chain. Given the massive attack surface that affects most every Linux distribution, this vulnerability will have legs that make it a threat well into 2022," says Reegun Jayapaul, a researcher at Trustwave, in a blog post. And Mackey points out that successful cyberattacks are often the result of a series of vulnerabilities chained together.

About the Author

Prajeet Nair

Prajeet Nair

Assistant Editor, Global News Desk, ISMG

Nair previously worked at TechCircle, IDG, Times Group and other publications, where he reported on developments in enterprise technology, digital transformation and other issues.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.