PwnKit – Polkit PKEXEC Vulnerability

EXECUTIVE SUMMARY:

A vulnerability has been discovered in the Linux Polkit (aka PolicyKit) pkexec utility, which facilitates communication between non-privileged and privileged processes. Pollkit also allows non-users to run privileged commands within a set policy. When this vulnerability is exploited, Polkit’s pkexec utility can be used by a non-privileged user to escalate their privileges to gain root access. This vulnerability has existed for the past 12 years in most Linux distros. Since publication on January 25, 2022 there has been proof of concept code available in the wild. Due to the extreme age of the vulnerability coupled with the ease of exploit, we consider this a High severity vulnerability that needs to be patched quickly.

ID: D3-2022-0004-1

Severity: 7.8 (HIGH)

IMPACT

Though there is no direct risk of remote code execution, this vulnerability will allow privilege escalation once the vulnerability is exploited.

This impacts a wide range of Linux systems (Ubuntu, Debian, Fedora, CentOS, likely others) so the attack surface is very large. All versions of Polkit packaged with Linux distributions are vulnerable dating back to May 2009.

Since exploiting this vulnerability is trivial, it will quickly become part of the average threat actor’s toolkit. A working proof of concept has also been released to the public.

DETAILED ANALYSIS

The vulnerability is due to a bug in pkexec which allows insecure environment variables to be written and executed due to incorrectly calling parameters and out-of-bounds writes being left unchecked before execution.

From Qualys:

“The beginning of pkexec’s main() function processes the command-line arguments (lines 534-568), and searches for the program to be executed (if its path is not absolute) in the directories of the PATH environment variable (lines 610-640).

If our PATH environment variable is “PATH=name”, and if the directory “name” exists (in the current working directory) and contains an executable file named “value”, then a pointer to the string “name/value” is written out-of-bounds to envp[0];

OR

If our PATH is “PATH=name=.”, and if the directory “name=.” exists and contains an executable file named “value”, then a pointer to the string “name=./value” is written out-of-bounds to envp[0]”

INDICATORS OF COMPROMISE

Logs should be reviewed for either of the following:

• The value for the SHELL variable was not found the /etc/shells file
• The value for environment variable * contains suspicious content
• It has also been reported that the exploit can take place without leaving logs.
• Dataprise has developed and implemented detections for these IOCs and can alert on attempts to exploit this vulnerability.

MITIGATION STEPS

Polkit’s authors have released a patch available on their github.

Ubuntu has released extended security maintenance updates: 14.04, 16.04, 18.04, 20.04, and 21.04

Redhat also has also released security updates.

A temporary fix can also be put in place which removes pkexec’s write permissions:

• chmod 0755 /usr/bin/pkexec

SOURCES

• https://blog.qualys.com/vulnerabilities-threat-research/2022/01/25/pwnkit-local-privilege-escalation-vulnerability-discovered-in-polkits-pkexec-cve-2021-4034
• https://access.redhat.com/security/cve/CVE-2021-4034#cve-cvss-v3
• https://gitlab.freedesktop.org/polkit/polkit/-/commit/a2bf5c9c83b6ae46cbd5c779d3055bff81ded683
• https://access.redhat.com/security/security-updates/#/?q=polkit&p=1&sort=portal_publication_date%20desc&rows=10&portal_advisory_type=Security%20Advisory&documentKind=PortalProduct
• https://ubuntu.com/security/notices/USN-5252-2
• https://ubuntu.com/security/notices/USN-5252-1

CONTRIBUTING AUTHORS

• Stephen Jones, Vice President, Cybersecurity Services
• Nicholas Tenney, Cybersecurity Analyst
• Bryan Austin, Cybersecurity Engineer

View all Dataprise Defense Digests here.