CVE-2021-4034 - gimme root
Hell yeah! Finally, new category on 0ut3r Space! This is the first article in vulnerability category. I’ve been planning this for some time. I will describe shortly the most spectacular, popular and interesting vulnerabilities from perspective of blue and red teams, with some examples. Let start with first one. Quite fresh.
CVE-2021-4034 was discovered by Qualys Research Team. Why it is so special? Its origin has been tracked to the initial commit of pkexec, more than 12 years ago, so yeah all Polkit versions are affected :) The good news is that vulnerability is not remotely exploitable, but if you have access to the machine as any unprivileged user you can quickly and easily gain root privileges. One of the Zero Trust methodology says, act like the attacker is already inside. You can assume that some of the threat actors are already in your organization, and were just waiting for situation like this, to use this kind of vulnerability for privilege escalation. It has never been so easy, because Polkit (formerly PolicyKit) is a component installed by default in Linux distributions like Ubuntu, Debian, Fedora, and CentOS. Other Linux are likely vulnerable too.
Check if you are affected
If you do not have installed polkit you are safe. If you have, you are affected. Just check is it installed on your system.
On Debian based distros:
1 | sudo apt list --installed | grep 'policykit\|polkit' |
On RedHat based distros:
1 | sudo rpm -qa | grep 'policykit\|polkit' |
or
1 | sudo yum list installed grep 'policykit\|polkit' |
On Suse:
1 | sudo zypper search -i polkit |
if you are admin of Linux you know how to check it on your system.
Mitigations
Now most important part. Mitigations! You have two options.
First one is to patch it ASAP. Fortunately patches are already published for most of all versions of active Linux distributions.
You can check security bulletins for your Linux version (each have table with platform/release), for example:
RedHat - https://access.redhat.com/security/cve/CVE-2021-4034
Debian - https://security-tracker.debian.org/tracker/CVE-2021-4034
Ubuntu - https://ubuntu.com/security/CVE-2021-4034
SuSe - https://www.suse.com/security/cve/CVE-2021-4034.html
If there is no patch for your operating system, you have second option, remove the SUID-bit from pkexec as a temporary mitigation.
Check it:
1 | $ ls -l /usr/bin/pkexec |
remove it:
1 | sudo chmod 0755 /usr/bin/pkexec |
But to be honest if there is no patch for your operating system it probably means you should update your system to the actively developed one.
Attack! I mean POC
Davide Berardi published exploit. In next few days there will be more and more exploits for this.
For now, if you would like to test it, just download it from GitHub. Compile using make command and run ./cve-2021-4034.
Example:
1 | vagrant@ubuntu-impish:~/CVE-2021-4034$ make |
Easy peasy ;)
Signs of exploitation
It is possible to exploit this without leaving a trace, but you can check logs for (auth.log):
The value for the SHELL variable was not found the /etc/shells file
or
The value for environment variable […] contains suspicious content.
Additional info
Fun facts. Or just facts.
You may think what the heck happened, the CVE says it was from the last year. Yup! Qualys reported the security issue responsibly on November 18, 2021, but before they published tehnical details, they waited for a patch.
Official polkit repo: https://gitlab.freedesktop.org/polkit/polkit
Why is the vulnerability named “PwnKit”?
This is a pun intended on the name of the vulnerable application Polkit.
Another busy week for SOC in many companies. I hope that one member of our Discord channel finally rest on rescheduled holiday. (Best regards Liks) If not, just let that lazy IT admins to patch their shit and go rest :D