Polkit Vulnerability

A Polkit Vulnerability Gives Root on All Major Linux Distros

A 12-year-old security vulnerability has been disclosed in the Linux’s system utility Polkit that grants attackers root privileges.

Previously called PolicyKit, Polkit manages system-wide privileges in Linux. It provides a mechanism for nonprivileged processes to safely interact with privileged processes and it’s installed by default in every major Linux distribution.

Yesterday, researchers from Qualys published an advisory about a local privilege escalation vulnerability in the pkexec tool, that is installed as part of the Polkit. The pkexec tool, which is a command line tool, is used to define which authorized user can execute a program as another user.

The security flaw is identified as CVE-2021-4034 and named PwnKit has been around for more than 12 years. In other words, Pkexec has been vulnerable since its creation in May 2009.

This easily exploited vulnerability allows any unprivileged user to gain full root privileges on a vulnerable host by exploiting this vulnerability in its default configuration.

Qualys Researchers

If you are already wondering how dangerous is it, there is only one short answer. Very! Exploiting the flaw is trivial and, by some accounts, 100 percent reliable.

The root cause of the issue is an out-of-bounds memory write that is created when pkexec’s main function processes command-line arguments and attempts to locate the program to be executed. An attacker can introduce an “unsecured” variable into pkexec’s environment.

As a result, an arbitrary code can be loaded and run by the program as root.

As of this writing, the Common Vulnerabilities and Exposures website did not yet have a listing for CVE-2021-4034. There is serious cause for concern because attackers probably will start exploiting it soon.

This is especially dangerous for any multi-user system that allows shell access to users. In fact, any unprivileged local user can exploit this vulnerability to get full root privileges.

Bojan Zdrnja, a penetration tester and a handler at SANS, tried the exploit on a fully patched Ubuntu 20.04 system for testing purposes.

Polkit Vulnerability - PwnKit

The security hole was reported in November 2021 and a patch was issued on January 11, 2022. You should obtain and apply a patch ASAP.

Patches for PwnKit are already dropping – Red Hat and Ubuntu users can find out more here and here.

If no patches are available for your Linux distro, as a short-term solution, you can remove the SUID-bit from pkexec:

chmod 0755 /usr/bin/pkexec

Qualys also notes that the exploitation technique leaves traces in logs, that say either “The value for the SHELL variable was not found the /etc/shells file…” or “The value for environment variable … contains suspicious content.

3 Comments

  1. Please define problem’s better. As to how– by way of net or wireless, a user at the key-board. A careful read of text clarified just what was going on. This is a multi-user problem as in a office, school and a family used computer or rather any group use. A single user should have very little problem. I am the only user. Rest of house does windows (they have their own). When I speak of linux, I usually get that dumb dog look. They don’t want to learn anything about my system.

  2. This article did not contain any actionable information. My computer has /usr/bin/pkexec on it but what version should it be so I know it’s been patched? This article does not even say.

Leave a Reply