A 12-year-old security vulnerability has been disclosed in a system utility called Polkit that grants attackers root privileges on Linux systems, even as a proof-of-concept (PoC) exploit has emerged in the wild merely hours after technical details of the bug became public.
Dubbed “PwnKit” by Qualys cybersecurity firm, the vulnerability impacts a component of polkit called “pkexec”, a program which is installed as default on all major Linux distributions such as Ubunti and Debian.
Polkit (formerly called PolicyKit) is a toolkit for controlling system-wide privileges in Unix-like operating systems, and provides a mechanism for non-privileged processes to communicate with privileged processes.
“This vulnerability allows any unprivileged user to gain full root privileges on a vulnerable host by exploiting this vulnerability in its default configuration,” Bharat Jogi, director of vulnerability and threat research at Qualys, said, adding it “has been hiding in plain sight for 12+ years and affects all versions of pkexec since its first version in May 2009. “
The flaw, which concerns a case of memory corruption and has been assigned the identifier CVE-2021-4034, was reported to Linux vendors on November 18, 2021, following which patches have been issued by Red Hat and Ubuntu.
pkexec, analogous to the sudo command, allows an authorized user to execute commands as another user, doubling as an alternative to sudo. If no username is specified, the command to be executed will be run as the administrative super user, root.
PwnKit is a result of an out-of bounds write which allows the reintroduction “unsecure” environment variables to pkexec. Although this flaw isn’t remotely exploitable an attacker who has gained access to a system through another method can use the flaw for full root privileges.
Complicating matters is the emergence of a PoC in the wild, which CERT/CC vulnerability analyst Will Dormann called “simple and universal,” making it absolutely vital that the patches are applied as soon as possible to contain potential threats.
This development is the second in a series of security holes discovered in Polkit. In June 2021, GitHub security researcher Kevin Backhouse revealed details of a seven-year-old privilege escalation vulnerability (CVE-2021-3560) that could be abused to escalate permissions to the root user.
On top of that, the disclosure also arrives close on the heels of a security flaw affecting the Linux kernel (CVE-2022-0185) that could be exploited by an attacker with access to a system as an unprivileged user to escalate those rights to root and break out of containers in Kubernetes setups.