A recently disclosed vulnerability affecting the PolKit component has been present on several Linux distributions for over 12 years. The vulnerability is easily exploited, says Bharat Jogi, director of the Qualys research team, who discovered it, and allows any unprivileged user to gain full root privileges on a vulnerable host.
PolKit provides a mechanism to enable non-privileged processes to communicate with privileged ones and to allow users to use it to execute commands with root privileges with the command pkexec
. This latter functionality is similar in nature to the more widespread sudo
.
Qualys security researchers have been able to independently verify the vulnerability, develop an exploit, and obtain full root privileges on default installations of Ubuntu, Debian, Fedora, and CentOS. Other Linux distributions are likely vulnerable and probably exploitable.
At the root of the vulnerability is a memory corruption issue in the way pkexec
handles its command line arguments. Specifically, when it is run with no arguments, which means argc
is 0, a part of its main
function will enable an out-of-bounds write which under given conditions will overwrite its next contiguous memory. This happens to be envp[0]
, meaning one can easily inject a malicious environment variable into pkexec
's environment.
Qualys did not disclose code that exploits the vulnerability, but since the vulnerability is so easy to exploit, public exploits have become available online in less than a day from the disclosure.
The vulnerability is not exploitable remotely and requires having physical access to a system. Qualys demonstrated how PwnKit can be exploited by user nobody
, which has no privileges at all, on a fully-patched Linux distro.
The fact that PwnKit is not remotely exploitable triggered a few comments on Reddit tending to downplay its relevance. In fact, while it is true that PwnKit alone will not be enough to take control of a remote system, it is known that attackers usually exploit several vulnerabilities in a row, called a vulnerability chain, to eventually gain control of a system. This means all affected systems should be patched as soon as possible.
On the good side of things, a temporary mitigation is available that is really trivial to apply and consists of removing the SUID-bit from pkexec
running:
chmod 0755 /usr/bin/pkexec
Unfortunately, it is not always easy to check if a patched version has been installed. If you have automatic security updates enabled on your system, chances are you system has been already patched. Otherwise, you should check your distribution's security advisory or the changelog of the currently installed polkit
package on your system.
Alternatively, Qualys itself makes a tool, Qualys VMDR, used to identify critical vulnerabilities, including PwnKit. If you prefer using open-source vulnerability detector Falco, security firm Sysdig has released a rule to configure Falco to detect PwnKit.
In addition to Linux-based distributions, the vulnerability might also affect other UNIX-like operating systems where Polkit is available, says Jogi. The researchers at Qualys did not investigate their exploitability, though, except for OpenBSD, which is not vulnerable due to the kernel refusing to execve()
a program if argc
is 0.