Linux Distros Haunted by Polkit Bug for 12 years - Grants Root Access to any User
Reading Time: 2 minutes

Linux distros haunted by Polkit bub for more than 12 years, the vulnerability grants root access to users to gain full access to a system in its default configuration. 

The flaw was discovered by security vendor Qualys and published the details in a coordinated disclosure. 

Polkit, also known as PolicyKit, is a tool used to set up policies governing how unprivileged processes interact with privileged ones. A SUID-root program, the vulnerability resides within polkit’s pkexec and is installed by default on all major Linux distributions. It has been designated CVE-2021-4034 and given a CVSS score of 7.8.

Bharat Jogi, from Qualys, in a blog post, said, “Qualys security researchers have been able to independently verify the vulnerability, develop an exploit, and obtain full root privileges on default installations of Ubuntu, Debian, Fedora, and CentOS. Other Linux distributions are likely vulnerable and probably exploitable. This vulnerability has been hiding in plain sight for 12+ years and affects all versions of pkexec since its first version in May 2009 (commit c8c3d83,  “Add a pkexec(1) command”).”

He said the vulnerability has been there for more than 12 years and it affects all versions of pkexec since its first version in May 2009 and pointed to commit c8c3d83, which added a pkexec command.

The issue is with the pkexec’s main() function when it processes command-line arguments and argc – the ARGument Count – is zero. This function tries to access the list of arguments and ends up trying to use an empty argv – the ARGument Vector of command-line argument strings.  This results in the out-of-bounds memory getting read and written, this is used by the attackers to inject an environment variable that can cause arbitrary code to be loaded from storage and run by the program as root.

Jogi further added, “This out-of-bounds write allows us to re-introduce an ‘unsecure’ environment variable (for example, LD_PRELOAD) into pkexec’s environment. These ‘unsecure’ variables are normally removed (by ld.so) from the environment of SUID programs before the main() function is called.”

The code remains vulnerable as these variables can be reintroduced. Though the exploitation technique proposed by Qualys i.e. injecting the GCONV_PATH variable into pkexec’s environment to execute a shared library as root leaves traces in log files.

According to Jogi, polkit also works with non-Linux operating systems such as Solaris and BSD.

Though these systems are not tested for exploitability, OpenBSD, does not affect it as the kernel won’t execve() – execute a program by its pathname – if argc is 0.

Currently, patches for various distributions are available including  Red Hat and Ubuntu. Users are advised to patch their systems ASAP especially if you are running a multi-user system.

Related Articles:
New DazzleSpy Backdoor in Watering-Hole Attacks infects macOS
FBI and Cybersecurity Experts Warn About QR Code Scammers
Crypto.com Hacked – Hackers Walk Away with over $30 Million in Various Cryptocurrencies