Threat Advisory: PwnKit CVE-2021-4034

Jan 31, 2022
Written by Davinsi Labs

Scope of the vulnerability

A local privilege escalation vulnerability was found on polkit’s pkexec utility. Polkit (formerly PolicyKit) handles the communication of unprivileged processes with privileged processes on Linux operating systems. One binary in particular, part of this software package – pkexec, is leveraging from setuid to allow (privileged) user impersonation. The vulnerability allows a local unprivileged user to gain root access without any authentication or restrictions due to incorrect handling of the process’s argument vector.
This vulnerability was introduced in 2009 and has never been publicly flagged until now. Whether or not it has already been exploited, is hard to say, but luckily there are ways to detect and mitigate its activity, which works on several Linux distributions.

Platforms Affected

  • Unpatched Linux distributions;
  • Some non-Linux operating systems.

 

Remediation

There are a few ways to mitigate the effects of the vulnerability, in order of preference:

  • Patch the polkit (policy kit) software package for your distribution.
  • Deploy systemtap package (https://access.redhat.com/solutions/5441).
  • Investigate whether temporary removal of setuid permissions from pkexec is a feasible solution.

 

Detection

Exploitation Detection

Tested on a few major Linux distributions, the following log entries will be found after either successful or unsuccessful attempts:

Jan 28 14:38:30 linuxmachine pkexec[8747]: exploit: The value for the SHELL variable was not found the /etc/shells file [USER=root] [TTY=/dev/pts/1] [CWD=/tmp] [COMMAND=GCONV_PATH=./.pkexec PATH=GCONV_PATH=. CHARSET=pkexec SHELL=pkexec]

linuxmachine is the affected machine.

exploit is the user executing the exploit.

Seeing The value for the SHELL variable was not found the /etc/shells file in Linux logs is nothing new, but in combination with SHELL=pkexec, the chance of it being a false positive is drastically reduced, unless of course the affected machine is fully patched and in that case you could still detect a potential attempt.

Vulnerability Identification

Rapid7 InsightVM users will be able to identify the vulnerability by conducting authenticated scans on Red Hat linux hosts. Ensure your content release is up-to-date or has at least the release from 26/01/2022. Checks for other distributions supported as part of Rapid7’s recurring coverage will be added as those vendor advisories get picked up and make their way through their QA process.

References

Our research was based on a few key publications, which we would like to share with you:

 

Final words

In response to this surprisingly easy exploit, we have immediately taken steps to fully patch our Linux install base and we encourage you to do the same, or investigate whether the alternative mitigation steps are a fit for your environment. In combination with your mitigation steps it is also a good idea to track attempts across your organization to detect and identify malicious actors.

Threat advisory updates

This blog post will be continuously updated in case new findings are published.
Reach out to info@davinsi.com if you need any assistance from our team of security experts.
We hope the following threat advisory assists to react quickly to ongoing threats and urges the need for patching and security monitoring.

Share this news