A 12-year-old security vulnerability has been disclosed in a system utility called Polkit that grants attackers root privileges on Linux systems, even as a proof-of-concept (PoC) exploit has emerged in the wild merely hours after technical details of the bug became public.
Dubbed “PwnKit” by cybersecurity firm Qualys, the weakness impacts a component in polkit called pkexec, a program that’s installed by default on every major Linux distribution such as Ubunti, Debian, Fedora, and CentOS.
Polkit (formerly called PolicyKit) is a toolkit for controlling system-wide privileges in Unix-like operating systems, and provides a mechanism for non-privileged processes to communicate with privileged processes.
“This vulnerability allows any unprivileged user to gain full root privileges on a vulnerable host by exploiting this vulnerability in its default configuration,” Bharat Jogi, director of vulnerability and threat research at Qualys, said, adding it “has been hiding in plain sight for 12+ years and affects all versions of pkexec since its first version in May 2009.”
The flaw, which concerns a case of memory corruption and has been assigned the identifier CVE-2021-4034, was reported to Linux vendors on November 18, 2021, following which patches have been issued by Debian, Red Hat, and Ubuntu.
pkexec, analogous to the sudo command, allows an authorized user to execute commands as another user, doubling as an alternative to sudo. If no username is specified, the command to be executed will be run as the administrative super user, root.
PwnKit stems from an out-of-bounds write that enables the reintroduction of “unsecure” environment variables into pkexec’s environment. While this vulnerability is not remotely exploitable, an attacker that has already established a foothold on a system via another means can weaponize the flaw to achieve full root privileges.
images from Hacker News