PwnKit Linux bug lets an unprivileged user gain full root privileges
The 12-year-old flaw exists in the pkexec component of Polkit system utility
Researchers at Qualys have uncovered a now-patched security vulnerability in a widely used Linux security toolkit that could enable an attacker to gain full root privileges on the system if they have access to a regular user account without admin privileges.
The vulnerability, dubbed 'PwnKit' and tracked as CVE-2021-4034 (PwnKit), exists in the pkexec component of Polkit system utility which is used in all major Linux distributions, including Ubuntu, CentOS, Debian and Fedora.
Polkit, formerly called PolicyKit, is a systemd SUID-root programme used for controlling system-wide privileges in Unix-like operating systems. The tool allows non-privileged processes to communicate with privileged processes in an organised manner.
According to Bharat Jogi, director of vulnerability and threat research at Qualys, this out-of-bounds memory corruption bug "has been hiding in plain sight" for more than 12 years, affecting all versions of pkexec since the first version in May 2009.
The flaw was discovered in the pkexec code, allowing attackers to input dangerous environment variables such as LD_PRELOAD to the execution flow.
LD_PRELOAD is an optional variable that instructs a programme to look for shared libraries or objects in a custom patch and load them before any other library during execution.
Usually, there exists a mechanism to remove such potentially dangerous environment variables before pkexec instructions are run. But an attacker can bypass that mechanism due to the memory issue.
In an advisory, Red Hat explains that the current version of pkexec can't handle the calling parameters count properly and instead tries to run environment variables as commands.
"An attacker can leverage this by crafting environment variables in such a way it'll induce pkexec to execute arbitrary code," the advisory adds.
Exploiting the flaw is so easy that a proof-of-concept exploit code emerged less than three hours after Qualys researchers published the technical details for PwnKit.
The flaw was reported to Linux vendors in November last year, following which patches have been issued by Debian, Red Hat, and Ubuntu.
Qualys strongly recommends admins to urgently apply the fixes released by Polkit's authors: "Given the breadth of the attack surface for this vulnerability across both Linux and non-Linux OS, Qualys recommends that users apply patches for this vulnerability immediately."
PwnKit is the second security bug found in Polkit in recent years. In June last year, GitHub security researcher Kevin Backhouse disclosed details of a seven-year-old privilege escalation bug (CVE-2021-3560) that enabled attackers to escalate permissions to the root user.
It is also not the only bug to affect all Linux distributions. In July, Red Hat released a patch for a local privilege escalation (LPE) vulnerability, dubbed 'Sequoia' that impacted all Linux kernels released since 2014 and enabled unprivileged attackers to gain root-level privileges on vulnerable devices.
Tracked as CVE-2021-33909, the bug was discovered by researchers from Qualys.
Separately, researchers also disclosed details of a stack exhaustion denial-of-service (DoS) bug that enabled an unprivileged attacker to launch an attack against systemd (the system and service manager) and trigger a kernel panic.
Earlier this month, Linux admins were urged to patch a high-risk, full-disk encryption (FDE) flaw (CVE-2021-4122) impacting Linux Unified Key Setup (LUKS) encryption software and its crytpsetup programme.
The researchers warned that the vulnerability could allow an attacker with physical access to a system to decrypt data on the machine without using a password.