The Most Recent Dataprise News and Awards

MSP Cloud Verify logo Inc.5000 logo CRAINS Best Places to Work in NYC logo
Dataprise Completes MSP Verify Certification with SOC 2 Type 2 Audit Computerworld Best Places to Work logo MSP 501 Winner logo CRN MSP 500 logoCRN MSP 500 logo
Tech Elite 250 logo MSP Cloud Verify logo Inc.5000 logo
CRN MSP 500 logo Dataprise Completes MSP Verify Certification with SOC 2 Type 2 Audit Computerworld Best Places to Work logo CRAINS Best Places to Work in NYC logo MSP 501 Winner logo

Global Service Alert

Published: 01/26/2022 14:18 EST

PwnKit – Polkit PKEXEC Vulnerability

EXECUTIVE SUMMARY:

A vulnerability has been discovered in the Linux Polkit (aka PolicyKit) pkexec utility, which facilitates communication between non-privileged and privileged processes. Pollkit also allows non-users to run privileged commands within a set policy. When this vulnerability is exploited, Polkit’s pkexec utility can be used by a non-privileged user to escalate their privileges to gain root access. This vulnerability has existed for the past 12 years in most Linux distros. Since publication on January 25, 2022 there has been proof of concept code available in the wild. Due to the extreme age of the vulnerability coupled with the ease of exploit, we consider this a High severity vulnerability that needs to be patched quickly.

ID: D3-2022-0004-1

Severity: 7.8 (HIGH)


IMPACT

Though there is no direct risk of remote code execution, this vulnerability will allow privilege escalation once the vulnerability is exploited.

This impacts a wide range of Linux systems (Ubuntu, Debian, Fedora, CentOS, likely others) so the attack surface is very large. All versions of Polkit packaged with Linux distributions are vulnerable dating back to May 2009.

Since exploiting this vulnerability is trivial, it will quickly become part of the average threat actor’s toolkit. A working proof of concept has also been released to the public.


DETAILED ANALYSIS

The vulnerability is due to a bug in pkexec which allows insecure environment variables to be written and executed due to incorrectly calling parameters and out-of-bounds writes being left unchecked before execution.

 From Qualys:

“The beginning of pkexec's main() function processes the command-line arguments (lines 534-568), and searches for the program to be executed (if its path is not absolute) in the directories of the PATH environment variable (lines 610-640).

 

 

If our PATH environment variable is “PATH=name”, and if the directory “name” exists (in the current working directory) and contains an executable file named “value”, then a pointer to the string “name/value” is written out-of-bounds to envp[0];

OR

 If our PATH is “PATH=name=.”, and if the directory “name=.” exists and contains an executable file named “value”, then a pointer to the string “name=./value” is written out-of-bounds to envp[0]”

 

INDICATORS OF COMPROMISE

 Logs should be reviewed for either of the following:

The value for the SHELL variable was not found the /etc/shells file

The value for environment variable * contains suspicious content

 It has also been reported that the exploit can take place without leaving logs.

 Dataprise has developed and implemented detections for these IOCs and can alert on attempts to exploit this vulnerability.

 

MITIGATION STEPS

 Polkit’s authors have released a patch available on their github.

 Ubuntu has released extended security maintenance updates: 14.04, 16.04, 18.04, 20.04, and 21.04

Redhat also has also released security updates.

 A temporary fix can also be put in place which removes pkexec’s write permissions:

chmod 0755 /usr/bin/pkexec

 


SOURCES

 

CONTRIBUTING AUTHORS

  • Stephen Jones, Vice President, Cybersecurity Services
  • Nicholas Tenney, Cybersecurity Analyst
  • Bryan Austin, Cybersecurity Engineer


View all active Global Service Alerts











Contact Us To Get Started Winning With IT Today!

If your business is looking to partner with a local IT support company that will learn the intimate details of your business technology and process, while also having the experience to manage and advise you on your day-to-day technology challenges, just fill out our contact form below and one of our consultants will contact you shortly.