Unprivileged Linux Users Can Now Take Advantage of a 12-Year-Old Polkit Flaw

Unprivileged Linux Users Can Now Take Advantage of a 12-Year-Old Polkit Flaw

Short News:-

A 12-year-old security vulnerability has been disclosed in a system utility called Polkit. Polkit is a toolkit for controlling system-wide privileges in Unix-like operating systems. A proof-of-concept (POC) exploit has emerged in the wild hours after technical details became public. PwnKit stems from an out-of-bounds write that enables reintroduction of "unsecured" environment variables into pkexec's environment. If no username is specified, the command to be executed will be run as the administrative superuser, root.

Detailed News:-

While a proof-of-concept (POC) exploit for the 12-year-old security flaw has surfaced in the wild just hours after technical details of the bug were made public, a vulnerability in Polkit, a Linux system utility, has been disclosed that provides attackers root rights.

Cybersecurity firm Qualys has dubbed this vulnerability "PwnKit," affecting polkit's default installation of pkexec, a tool found on all major Linux distributions including Ubuntu, Debian, Fedora, and CentOS.

In Unix-like operating systems like Linux, Polkit (formerly known as PolicyKit) is a set of tools for managing system-wide privileges, and it provides a way for non-privileged processes to communicate with privileged ones.

Bharat Jogi, director of vulnerability and threat research at Qualys, said that this vulnerability "allows any unprivileged user to gain full root privileges on a vulnerable host by exploiting this vulnerability in its default configuration." Jogi added that this "has been hiding in plain sight for 12+ years and affects all versions of pkexec since its first version in May 2009."

On November 18, 2021, Linux vendors were notified of the vulnerability, which has been assigned the identification CVE-2021-4034 and for which patches have been released by Red Hat and Ubuntu.

As an alternative to the sudo command, pkexec enables an authorized user to run commands on behalf of another user. The command will be executed as root, the administrative superuser, if no username is provided.

When pkexec's environment variables are reintroduced via an out-of-bounds write, the result is PwnKit. In spite of the fact that this issue is not remotely exploitable, an attacker with an established foothold in a system can use it to get complete root rights.

As CERT/CC vulnerability expert Will Dormann described the "simple and ubiquitous" PoC that has emerged in the wild, it is even more critical that the fixes be implemented immediately in order to contain any potential threats.

This is the second time in as many years that a hole in Polkit's security has been discovered. According to GitHub security researcher Kevin Backhouse, a seven-year-old privilege escalation vulnerability (CVE-2021-3560) might be exploited to give the root user full control of the system.

As a further bonus, the publication of the vulnerability comes just a few days after a security hole in the Linux kernel (CVE-2022-0185) that may be exploited by an unprivileged user to get root privileges and break out of containers in Kubernetes environments.