A memory corruption vulnerability (CVE-2021-4034) in PolKit, a component used in major Linux distributions and some Unix-like operating systems, can be easily exploited by local unprivileged users to gain full root privileges.
While the vulnerability is not exploitable remotely and doesn’t, in itself, allow arbitrary code execution, it can be used by attackers that have already gained a foothold on a vulnerable host to escalate their privileges and achieve that capability.
About the vulnerability (CVE-2021-4034)
CVE-2021-4034 – dubbed PwnKit by the Qualys researchers who unearthed it – is found in PolKit’s pkexec tool and was introduced in May 2009.
“Polkit (formerly PolicyKit) is a component for controlling system-wide privileges in Unix-like operating systems. It provides an organized way for non-privileged processes to communicate with privileged processes. It is also possible to use polkit to execute commands with elevated privileges using the command pkexec followed by the command intended to be executed (with root permission),” explained Bharat Jogi, Director of Vulnerability and Threat Research at Qualys.
PwnKit has been confirmed to be easily exploitable.
After finding the bug, creating an exploit and obtaining root privileges on default installations of Ubuntu, Debian, Fedora, and CentOS with it, Qualys researchers notified both the vendor (Red Hat Product Security) and open-source distributions so they could push out a patch.
The researchers haven’t shared the exploit, but said they “anticipate public exploits to become available within a few days of this blog’s post date.”
And they were right:
— BLASTY (@bl4sty) January 25, 2022
The efficacy of that exploit was confirmed quickly – also on an ARM64 system.
SANS ISC handler Bojan Zdrnja created one, too, and executed it on a Ubuntu 20.04 system that hasn’t been protected with the latest patch.
“Since most major distributions already released patches, the best option now is to install the patches. Of course, you’ll need to do it on all systems. If you cannot, or if there are no patches available, you can prevent the vulnerability from being exploited by removing the SUID bit from the pkexec tool; just make sure that you are not breaking anything,” he advised.
Qualys’s exploitation technique leaves traces in the logs, but they pointed out that there are ways to exploit the vulnerability without leaving such traces.
Users and admins are advised to implement the provided patches / updates as soon as possible, and especially on multi-user systems, Zdrnja noted.