TR-67 - local privilege escalation vulnerability in polkit's pkexec utility.

TR-67 - local privilege escalation vulnerability in polkit's pkexec utility.

Back to Publications and Presentations

  1. Overview
  2. Fixing and mitigation
  3. Detection and incident response
  4. Are vulnerable servers in Luxembourg?
  5. References
  6. Classification of this document
  7. Revision

You can report incidents via our official contact including e-mail, phone or use the Anonymous reporting form.

Search


CIRCL is accredited TI CIRCL is a FIRST member CIRCL is an OASIS member

Overview

A vulnerability CVE-2021-4034 was discovered in the the tool pkexec (part of polkit) included in many Linux distributions such as Ubuntu and Redhat in a package called PolicyKit. The CVSS s3 Base Score is 7.8.

The attack complexity is very low and enables privilege escalation resulting in root access on the operating system. The vulnerability can even be exploited by users not being sudoers.

All versions before 0.105 (included) of Polkit (formerly PolicyKit).

The packaging tools could be used to see if the patch was applied such as shown in the example below on a Ubuntu-based distribution:

dpkg -l  | grep policykit
ii  policykit-1                          0.105-26ubuntu1.2                     amd64        framework for managing administrative policies and privileges

Proof of concept exploits are publicly available and some are listed in the reference section of this document.

Fixing and mitigation

The best fix is to apply the security patches. As the program runs in user space no reboot is needed. In case these patches cannot be applied the file permissions of pkexec can be restricted by removing SUID bit as a temporary mitigation. An example is shown below:

chmod 0755 /usr/bin/pkexec

Detection and incident response

When the vulnerability is abused the following artefact can be searched in the auth.log file located for instance in /var/log/auth.log.

The items TTY, the COMMAND, and SHELL parameters are variable. The COMMAND parameter gives a hint to the location where the exploit code was executed.

In the example below the exploit code is in /home/toto/CVE-2021-4034.

The value for the SHELL variable was not found the /etc/shells file [USER=root] [TTY=/dev/pts/11] [CWD=/home/toto/CVE-2021-4034] [COMMAND=GCONV_PATH=./pwnkit.so:. PATH=GCONV_PATH=. SHELL=/lol/i/do/not/exists CHARSET=PWNKIT]

An alternative is to search on the file system for a directory called GCONV_PATH=..

Once the location of the exploit identified, the exploit code could be recovered from the directory GCONV_PATH.

After this step, standard incident response procedures could be applied to find out what happened after on the server such as forensics on file system or on a memory image.

Are vulnerable servers in Luxembourg?

Yes.

References

Classification of this document

TLP:WHITE information may be distributed without restriction, subject to copyright controls.

Revision

  • Version 1.0 - TLP:WHITE - First version - 26 January 2022