A 12-year-old security vulnerability has been revealed in a system tool called Polkit that gives attackers root privileges on Linux systems, even though a proof-of-concept (PoC) exploit has appeared in the wild just hours after technical details of bugs were revealed public.
Named “PwnKit” by cybersecurity firm Qualys, the vulnerability affects a component of polkit called pkexec, a program that is installed by default on all major Linux distributions such as Ubuntu, Debian, Fedora, and CentOS.
Polkit (formerly called PolicyKit) is a toolkit for controlling system-wide privileges in Unix-like operating systems and provides a mechanism for non-privileged processes to communicate with privileged processes.
“This vulnerability allows any unprivileged user to gain full root privileges on a vulnerable host by exploiting this vulnerability in its default configuration,” said Bharat Jogi, Director of Vulnerability and Threat Research at Qualys, adding that it “has has been in the public eye for 12+ years and affects all versions of pkexec since its first release in May 2009. “
The bug, which relates to a case of memory corruption and has been assigned the identifier CVE-2021-4034, was reported to Linux vendors on November 18, 2021, after which patches have been issued by Red Hat and Ubuntu.
pkexec, analogous to the sudo command, allows an authorized user to execute commands as another user, doubled as an alternative to sudo. If no username is specified, the command to be executed will be run as the administrative superuser, root.
PwnKit is derived from an out-of-bounds script that enables the reintroduction of “unsafe” environment variables into pkexec’s environment. Although this vulnerability cannot be remotely exploited, an attacker who has already established a foothold in a system via another means can arm the bug to obtain full root privileges.
The complicated case is the emergence of a PoC in nature, as CERT / CC vulnerability analyst Will Dormann called “simple and universal”, which makes it absolutely crucial that the patches are applied as soon as possible to contain potential threats.
The development marks the second security flaw revealed in Polkit in as many years. In June 2021, GitHub security researcher Kevin Backhouse revealed details of a seven-year privilege escalation vulnerability (CVE-2021-3560) that could be abused to escalate root user permissions.
On top of that, the revelation also comes close to a security flaw affecting the Linux kernel (CVE-2022-0185) that could be exploited by an attacker with access to a system as an unprivileged user to escalate these root rights and break out of containers in Kubernetes setups.