Kworld Trend / linux distributions poisoned by the pwnkit flaw techhaunt.com Linux users on Tuesday got a big dose of bad news — a 12-year-old vulnerability in a system tool called Polkit gives attackers unfettered root privileges on machines running most major Linux distributions. Operation is open source.
Formerly known as PolicyKit, Polkit manages system-wide privileges in Unix-like operating systems. Provides a mechanism for unprivileged processes to interact securely with privileged processes. It also allows users to execute commands with elevated privileges using a component called pkexec, followed by the command.
Linux distributions are poisoned by the pwnkit techhaunt.com flaw
A newly reported memory corruption vulnerability in the SUID-root software installed by default on every major Linux distribution worldwide can be easily exploited to grant an unauthorized user full root privileges on a vulnerable host.
Qualys researchers discovered the flaw, which was tracked as CVE-2021-4034 and named PwnKit, at the end of 2021, but it appears to have been hiding “in plain sight” since May 2009.
It’s in polkit (formerly PolicyKit) pkexec, which is a component used to control system-wide launch privileges in Unix-like operating systems. This component is legitimately used to enable non-privileged processes to communicate with privileged processes, and also enables the user to execute commands with elevated privileges if they have root permission.
In an official disclosure notice, Bharat Jogi, Director of Vulnerability and Threat Research at Qualys writes: “Successful exploitation of this vulnerability allows any unprivileged user to gain root privileges on the vulnerable host. However, Qualys security researchers were able to independently verify the vulnerability and develop Exploit and obtain full root privileges for default installations of Ubuntu, Debian, Fedora and CentOS Other Linux distributions are potentially vulnerable and potentially exploitable.
Continued
“Once our research team confirmed the vulnerability, Qualys became involved in responsible. Disclosure of the vulnerabilities and coordinated with both vendors. And open source distributions to announce the vulnerability.”
According to Red Hat, the vulnerability hinges on the fact that pkexec does not handle call parameters correctly and ends up trying to execute environment variables as commands. A malicious actor can exploit this by crafting environment variables to force pkexec to execute arbitrary code and escalate its privileges.
PwnKit is exceptionally dangerous due to the pervasive nature of pkexec and its relative ease of exploitation, which is why Qualys has chosen not to publish technical details of the exploit.
Patches for PwnKit are already dropping out — Red Hat and Ubuntu users can learn more here. And here respectively — and the Polkit writers have made a patch available on GitHub. But Jogi warned the vulnerability could be exploited by malicious actors right away. Without these patches, users can mitigate PwnKit by removing the SUID-bit from pkexec as detailed by Qualys.
Qualys customers, by the way, may already be using the company’s VMDR vulnerability management tool. That to scan for vulnerable assets, while users of its expanded detection. And response service can also scan for post-exploit activity on their systems.
Trivial to exploit and 100 percent reliable
Like most operating systems, Linux provides a hierarchy of permission levels that control when. And what applications or users can interact with sensitive system resources. The design is intended to limit the damage that can occur. That if the user is not trusted with administrative control of the network or if the application is compromised or malicious.
Since 2009, pkexec has contained a memory corruption vulnerability. That people with limited control over a vulnerable device can exploit to escalate privileges along the way. Exploiting the flaw is trivial and, by some accounts, 100% reliable. An attacker who already has a foothold on a vulnerable device could exploit the vulnerability. To ensure that a malicious payload or command runs with the highest available system rights. PwnKit, as the researchers call the vulnerability, is also exploitable even if the Polkit daemon is not running.
However, PwnKit was discovered by researchers from the security company Qualys in November. And revealed on Tuesday after being patched in most Linux distributions. PwnKit has been tracked as CVE-2021-4034.
In an email, Qualys Director of Vulnerability Research Bharat Jogi wrote:
The most likely attack scenario is from an insider threat where a malicious user could escalate from having no privileges at all to full root privileges. From an external threat perspective, if an attacker can gain a foothold on a system via another vulnerability or password breach, that attacker can escalate to full root privileges through that vulnerability.
Jogi said the exploits require authenticated local access to the vulnerable device. And cannot be run remotely without such authentication. Here’s a video of the exploit in action.
