A vulnerability that was present for 12 years in polkit allowed root privileges to be obtained 

A few days ago the news broke that Qualys research team discovered memory corruption vulnerability in polkit pkexec, a root SUID program that is installed by default on all major Linux distributions.

This vulnerability easily exploitable allowed any non-privileged user to gain full root privileges on a vulnerable host by exploiting this vulnerability in its default configuration.

polkit (formerly known as PolicyKit) is a component for system-wide privilege control on Unix-like operating systems. It provides an organized way for non-privileged processes to communicate with privileged processes, plus it is also possible to use polkit to run commands with elevated privileges using the pkexec command followed by the command it is intended to run (with root permission).

About vulnerability

Vulnerability lies in pkexec, for your code contains a pointer handling error, some of which end up referencing areas of memory that shouldn't. By exploiting this flaw, it is possible to gain administrator privileges almost instantly.

Cataloged as CVE-2021-4034, the vulnerability received a CVSS score of 7,8 and to which the Qualys team explained in a blog post that:

The pkexec flaw opens the door to root privileges for an attacker. Qualys researchers, he said, have shown exploitation of default installations of Ubuntu, Debian, Fedora and CentOS, and other Linux distributions are also believed to be vulnerable.

“Successful exploitation of this vulnerability allows any non-privileged user to gain root privileges on the vulnerable host. Qualys security researchers were able to independently verify the vulnerability, develop an exploit, and gain full root privileges on default installations of Ubuntu, Debian, Fedora, and CentOS. Other Linux distributions are probably vulnerable and exploitable. This vulnerability has been hidden for more than 12 years and affects all versions of pkexec since its first release in May 2009 (confirm c8c3d83, "Add a pkexec(1) command").

"As soon as our research team confirmed the vulnerability, Qualys committed to responsible vulnerability disclosure and coordinated with vendors and open source distributions to announce the vulnerability."

The problem occurs when the main() function by pkexec process command line arguments and that argc is zero. The function still tries to access the argument list and ends up trying to use an rgvvoid (ARGument Vector of command line argument strings). As a result, memory is read and written out of bounds, which an attacker can exploit to inject an environment variable that can cause arbitrary code to be loaded.

The fact that these variables can be reintroduced makes the code vulnerable. At least the exploitation technique offered by Qualys (injecting the GCONV_PATH variable into the pkexec environment to run a shared library as root) leaves traces in the log files.

In a security advisory, Red Hat issued the following statement:

"Red Hat is aware of a vulnerability found in pkexec that allows an authenticated user to perform an elevation of privilege attack."

“The primary risk to customers is the potential for an unprivileged user to gain administrative privileges on affected systems. The attacker must have login access to the target system to carry out the attack."

It is worth mentioning that the vulnerability had already been identified in 2013 and had been described in detail in a blog post, even if no PoC had been provided:

"Lol, I wrote about this polkit vulnerability in 2013. I couldn't find an actual exploit path, but I did identify the root cause."

Finally, if you are interested in being able to know that about it, you can consult the details in the following link


The content of the article adheres to our principles of editorial ethics. To report an error click here!.

Be the first to comment

Leave a Comment

Your email address will not be published. Required fields are marked with *

*

*

  1. Responsible for the data: AB Internet Networks 2008 SL
  2. Purpose of the data: Control SPAM, comment management.
  3. Legitimation: Your consent
  4. Communication of the data: The data will not be communicated to third parties except by legal obligation.
  5. Data storage: Database hosted by Occentus Networks (EU)
  6. Rights: At any time you can limit, recover and delete your information.