12 Year-Old Bug in Polkit Allows for Privilege Elevation
Researchers from Qualys identified a flaw in Polkit’s pkexec dating back to 2009. The memory-corruption vulnerability, dubbed PwnKit, allows a user with access to a vulnerable machine to elevate to root privileges. Discovered in November, tracked as CVE-2021-4034, patches have been released. Polkit, previously known as PolicyKit manages privileges in most Unix/Linux distributions, managing access to privileged processes from unmanaged processes.
Patches should be available for all major Linux distributions, and the patch does not require a reboot. Privilege escalation vulnerabilities are often assigned a lower urgency. But this vulnerability is easy to exploit, and some of the exploits publicly available will not leave a mark in your logs.
Updates to Polkit have been released for RedHat/CentOS and other Linux distributions and are available through you regular repositories. IF you cannot patch, remove the set UID root permission from pkexec. (e.g., chmod 755 /bin/pkexec). Exploitation can be detected by looking for log entries, see the Qualys blog for examples; however, it is possible to exploit the flaw without leaving any traces in system logs.
Unix/Linux escalation of privilege vulnerabilities linger around for a significant amount of time since they are “only” privilege escalation and lower CVSSv3 score. Make the effort to get your systems patched for this vulnerability that is trivially exploited.
This bug is fascinating to me for several reasons. First, it indicates to researchers that other SUID binaries may have a similar issue, so I suspect we may see more of these. Second, this bug is dead simple to exploit. Almost all the POC's available were written based on the initial writeup. It also does not deal with any type of ASLR or memory corruption bug in this exploit, so this universally works everywhere regardless of kernel or distribution version. Patch it now.