You are currently viewing PwnKit: Local Privilege Escalation Vulnerability In Major Linux Distributions

PwnKit: Local Privilege Escalation Vulnerability In Major Linux Distributions

Most of the Linux distributions have the pkexec binary. The vulnerability (CVE-2021-4034) lies in that binary. The pkexec is a part of the Polkit open-source application framework used for interaction between privileged and unprivileged processes. The affected binary can also be used to execute commands with elevated privileges.

The flaw has existed for about 12 years since version 0.113 of the pkexec component was released. Almost all of the popular Linux distros are affected, including RHEL, Fedora, Debian, CentOS, and many non-popular Linux distros, along with the unstable versions of those distros.


Vulnerability Details

Polkit’s pkexec command has a memory corruption vulnerability leading to the local privilege escalation (Normal user can be elevated to root). The remote attack is not possible with this particular flaw. Any person having access to a non-privileged user in a system can exploit this vulnerability to gain the privileges of a root user.

Let’s look at the vulnerable code snippet from the pkexec binary.

———————————————————————–

534        for (n = 1; n < (guint) argc; n++) { ….. }

610        path = g_strdup (argv[n]);

629        if (path[0] != ‘/’) {

632        s = g_find_program_in_path (path);

639        argv[n] = path = s;

640        }

————————————————————————

  • The binary pkexec expects an argument (A command will be passed as an argument). If pkexec command is executed without an argument, in the main program, at line 534, argc value will be 0.
  • But the ‘for loop’ is initiated with n=1.
  • So the argv[n] in line 610, will read out-of-bounds value from argv[1].
  • The out-of-bounds argv[1] points to the first environment variable, “value.”
  • The obtained path, “value” is passed to a function g_find_program_in_path(path) in line 632, because “value” is not starting with ‘/’ (as per the condition in line 629).
  • The g_find_program_in_path function searches the binary “value” path in the PATH environment variables. As a result, the ‘s’ variable will have the full path of the executable binary, if and only if the binary exists, and at last, the full path of the “value” binary is written out-of-bounds to argv[n] (i.e., argv[1]).

The above part of the snippet allows the attacker to craft malicious environment variables and run it as a command using pkexec to attain the privilege escalation.


Exploit Snippet

SecPod Security Research Team exploited this vulnerability to gain further technical details.

$ ls -l /usr/bin/pkexec
-rwsr-xr-x 1 root root 23376 Mar 27 2019 /usr/bin/pkexec

  • Give foreground on what is suid.

$ id
uid=1001(secpod) gid=1001(secpod) groups=1001(secpod),4(adm),27(sudo),113(lpadmin),128(sambashare)

  • Logged in with a user with less privileges named “secpod” having uid “1001.”

$ ./cve-2021-4034

# id
uid=0(root) gid=0(root) groups=0(root),4(adm),27(sudo),113(lpadmin),128(sambashare),1001(secpod)

# whoami
root

  • As soon as secpod user executes the exploit, we get access to the root shell.

Publicly available Exploits

As soon as the technical detail of this vulnerability (CVE-2021-4034) became public, many exploits were coined. Some of the links for the exploit are as follows:

https://github.com/Ayrx/CVE-2021-4034

https://github.com/berdav/CVE-2021-4034

https://github.com/arthepsy/CVE-2021-4034

https://github.com/ryaagard/CVE-2021-4034

https://github.com/joeammond/CVE-2021-4034


Impact

Successful exploitation of this vulnerability could allow any non-privileged user to gain root access.


Mitigation

SanerNow can be used to detect and mitigate this vulnerability.

All major vendors have published fixes for their respective OS. Ubuntu has provided an update for PolicyKit to address the vulnerability in versions 14.04 and 16.04 ESM (extended security maintenance) and more recent versions of ubuntu, such as 18.04 20.04, and 21.04.

Red Hat also released a security update for PolicyKit on Workstation and Enterprise products and extended life cycle support, AUS, and TUS.

SUSE and Debian also have released fixes for this vulnerability for most of their supported versions.


Other Workarounds and Mitigation

Systems that are unable to use SanerNow or if the security update of the respective vendor has not published a fix, the following workaround can be used to mitigate this vulnerability temporarily.

# chmod u-s /usr/bin/pkexec

The above command will remove SUID-bit from pkexec command.

SanerNow can also mitigate the vulnerability by using the attached mitigation_script.

Note: The mitigation will remove SUID-bit from pkexec command. To roll back from the mitigation, use the attached rollback_script.

  • Login to the SanerNow platform
  • Switch to the account/site-specific view and Go to the ‘VM tool’.
  • If your application is vulnerable, Saner lists the above CVE in ‘Top Vulnerabilities’ or ‘Recently Discovered Vulnerabilities’
  • Search for this vulnerability in the VM tool. If you are affected, apply the workaround through EM -> Actions.

 

  • Select ‘Software Deployment’ under Actions in EM tool as shown below:

  • Next, we can select ‘Upload’ as shown below:

  • This will prompt for uploading software package. Select ‘Compressed Installer Packages’ and upload the compressed file.

  • Once the file is uploaded, select the file and click on ‘Edit’. Edit the file by specifying ‘Family’ as relevant OS, ‘Extract Location’ as the extraction location where the compressed file should be extracted, and the name of the file in the ‘Run File’ option as shown:

  • Select ‘Update Details’ and the compressed file will get updated with all the new details added.

  • After the update click on the refresh button and select the file. Click on install.

  • Select the affected devices where you need to apply the mitigation.

  • Update the “Task Name”, “Schedule” the remediation and populate “Reboot Schedule” as required. Next, click on Create Installation task

  • Once the task is created, it will start the job and redirect to the page shown below:

 


With SanerNow, you can quickly detect and mitigate the Polkit vulnerability in your network. SanerNow Vulnerability Management is built on the home-grown world’s largest vulnerability database with 160,000+ security checks. SanerNow offers the industry’s fastest vulnerability scanning techniques to detect vulnerabilities in less than 5 minutes.

5 1 vote
Article Rating
Subscribe
Notify of
0 Comments
Inline Feedbacks
View all comments