pkexec, the sudo-like utility present in all major Linux variants, has a 12-year-old weakness that will almost certainly be exploited in the near future.
Any unprivileged user may have complete root access after successful exploitation.
Polkit’s pkexec function has been revealed to have a CVE-2021-4034 vulnerability, which has a CVSS score of 7.8. Polkit (formerly PolicyKit) offers a centralized means for non-privileged processes to interact with privileged ones, and the command pkexec may be used to execute commands with root permissions.
CentOS, Debian, Fedora and Ubuntu are all vulnerable to a proof-of-concept vulnerability that gives the user complete root access.
Since its inception in May 2009, pkexec has been a target for hackers because of its vulnerability. This vulnerability may be exploited by any local user with no rights to take control of the system as root.
However, despite the fact that this vulnerability is a memory corruption, it may be exploited immediately and in a platform-independent method. Even if the Polkit daemon isn’t operating, the flaw may still be exploited.
The default configuration of a vulnerable system may be exploited by any unprivileged user to get full root rights.
Vulnerability Details
Pkexec is vulnerable to out-of-bounds write attacks, which may enable a “unsecure” environment variable (such as LD PRELOAD) to be re-introduced into the system environment.
Before the main function is executed, “ld so” is used to remove these ‘unsecure’ variables from the environment of SUID applications.
The vulnerability is due to pkexec being tricked into searching for a maliciously constructed PATH environment variable through an out-of-bounds write.
A pointer to the string “name=./value” is pushed out of bounds to envp[0].” if PATH is “PATH=name=.” and the directory “name=.” exists and contains an executable file called “value.”
Pkexec reintroduces an unprotected variable into its environment, enabling an attacker to gain root access and start apps. Linux administrators and users who don’t have an administrator account often use Pkexec to launch Linux software as another user, which is a popular practice in the Linux community.
PwnKit can be used to get root access by anybody who knows how to build a malicious PATH variable.
How to remain safe?
All major Linux distributions have provided fixes, and because they’re all impacted, it’s critical that you apply them right now. Vendors should be contacted if you’re using OEM-distributed Linux systems and the vulnerability is still there or it is more difficult to fix the afflicted computer.
If you can’t discover or install fixes right away, you may use the following root-powered shell command to chmod yourself out of trouble:
# chmod 0755 /usr/bin/pkexec
The owner (in this example, root) is the only one who can write data to pkexec using this command. In the meantime, this should only be regarded an interim fix.
References:
https://www.techrepublic.com/article/patch-now-a-newly-discovered-critical-linux-vulnerability-probably-affects-your-systems/ https://nakedsecurity.sophos.com/2022/01/26/pwnkit-security-bug-gets-you-root-on-most-linux-distros-what-to-do/