# CVE-2021-4034 - gimme root

Hell yeah! Finally, new category on 0ut3r Space! This is the first article in vulnerability category. I’ve been planning this for some time. I will describe shortly the most spectacular, popular and interesting vulnerabilities from perspective of blue and red teams, with some examples. Let start with first one. Quite fresh.

CVE-2021-4034 was discovered by Qualys Research Team. Why it is so special? Its origin has been tracked to the initial commit of pkexec, more than 12 years ago, so yeah all Polkit versions are affected :) The good news is that vulnerability is not remotely exploitable, but if you have access to the machine as any unprivileged user you can quickly and easily gain root privileges. One of the Zero Trust methodology says, act like the attacker is already inside. You can assume that some of the threat actors are already in your organization, and were just waiting for situation like this, to use this kind of vulnerability for privilege escalation. It has never been so easy, because Polkit (formerly PolicyKit) is a component installed by default in Linux distributions like Ubuntu, Debian, Fedora, and CentOS. Other Linux are likely vulnerable too.

## Check if you are affected

If you do not have installed polkit you are safe. If you have, you are affected. Just check is it installed on your system.

On Debian based distros:

On RedHat based distros:

or

On Suse:

if you are admin of Linux you know how to check it on your system.

## Mitigations

Now most important part. Mitigations! You have two options.

First one is to patch it ASAP. Fortunately patches are already published for most of all versions of active Linux distributions.

You can check security bulletins for your Linux version (each have table with platform/release), for example:

If there is no patch for your operating system, you have second option, remove the SUID-bit from pkexec as a temporary mitigation.

Check it:

remove it:

But to be honest if there is no patch for your operating system it probably means you should update your system to the actively developed one.

## Attack! I mean POC

Davide Berardi published exploit. In next few days there will be more and more exploits for this.

For now, if you would like to test it, just download it from GitHub. Compile using make command and run ./cve-2021-4034.

Example:

Easy peasy ;)

## Signs of exploitation

It is possible to exploit this without leaving a trace, but you can check logs for (auth.log):

The value for the SHELL variable was not found the /etc/shells file

or

The value for environment variable […] contains suspicious content.