Bug in pkexec allows privilege escalation on most Linux distros

Spread the love

Security researchers have discovered a vulnerability in pkexec, a component found in virtually all Linux distributions. With the PwnKit exploit it is possible to get root rights on a system. There are now proofs-of-concept that demonstrate exploitation.

The vulnerability was discovered by security firm Qualys and has been assigned code CVE-2021-4034, but the researchers also refer to the bug as PwnKit. The bug is in pkexec, a feature within Polkit in Linux that allows you to run commands as another user. This feature has been included as standard in most Linux distros since 2009. According to the researchers, the specific vulnerability has been in the software since the first commit and thus potentially affects many users. The bug can be exploited on systems where an attacker has access to local user rights.

According to the researchers, there is a memory bug in the feature. This makes it possible to invoke an out of bounds write in which an attacker can then insert an insecure variable. Normally this is stopped by the software, but the researchers found a way around that.

Although the discoverers do not publish any exploit code, they warn that exploits are likely to become available soon. The leak is said to be ‘very simple’ and has been easy to spot all this time. According to BleepingComputer, working exploits are already available, which the site has also tested.

The researchers say they successfully exploited the bug in Ubuntu, Debian, Fedora, and CentOS, but speculate that other distros are “probably also vulnerable and exploitable.” Non-Linux systems such as Solaris and *BSD might also be vulnerable because Polkit is included, but the researchers did not run a practical test on them. OpenBSD is in any case safe according to them.

Qualys discovered the bug in November and has passed it on to multiple developers and manufacturers. The original Polkit developers have released a patch. The Qualys researchers also mention a mitigation option; # chmod 0755 /usr/bin/pkexec changes the permissions of the tool so that authentication is no longer possible.

You might also like
Exit mobile version