An old security issue in a system utility named Polkit has been exposed, granting intruders admin rights on Linux computers, even as a proof-of-concept (PoC) exploit has leaked in the community just hours after technical details of the problem were publicly disclosed. The flaw, named “PwnKit” by cybersecurity company Qualys, affects polkit’s pkexec element, which is distributed by default on every major Linux system, including Ubuntu, Debian, Fedora, and CentOS.
“By exploiting this weakness in its default configuration, any unprivileged user can gain full root access on a vulnerable host,” said Bharat Jogi, director of vulnerability and threat research at Qualys. “This vulnerability has been hiding in plain sight for 12+ years and affects all versions of pkexec since its first version in May 2009,” he added.
The weakness, which has been assigned the identification CVE-2021–4034 and affects an instance of memory destruction, was disclosed to Linux developers on November 18, 2021, after which Red Hat and Ubuntu released updates. Pkexec is a command similar to sudo that enables an authorized user to run commands as another user. It can also be used instead of sudo. The command will be run as the administrative superuser if no username is given.
PwnKit is the result of an out-of-bounds write that allows “unsecure” environment variables to be reintroduced into the pkexec environment. While this issue cannot be remotely exploited, it can be used by an adversary who has previously gained access to a machine through another method to get complete root privileges.
The development of a PoC in the public, which CERT/CC vulnerability expert Will Dormann described as “simple and universal,” complicates matters further, making it critical that the patches are implemented as quickly as possible to prevent any threats.
This is the second time in as many years that a security weakness has been discovered in Polkit. Kevin Backhouse, a GitHub security researcher, published information on a seven-year-old privilege escalation vulnerability (CVE-2021–3560) that may be exploited to provide root user capabilities in June 2021.
Furthermore, the publication comes on the heels of a Linux kernel security hole (CVE-2022–0185) that may be exploited by an attacker with unprivileged user access to a machine to escalate those rights to root and break out of containers in Kubernetes installations.