Skip to main content

Analyzing the PwnKit local privilege escalation exploit

Written by:

Kyle Suero

wordpress-sync/blog-feature-security-alert-purple

January 29, 2022

0 mins read

What do Linux vulnerabilities and natural disasters have in common? Something seemingly dormant can suddenly spring to life, exposing activity beneath the surface. Several days ago, a security researcher published a high-severity vulnerability named PwnKit that impacts most major Linux distributions. The scary part? It has existed since May of 2009.

Polkit is a component for controlling privileges in Unix-like operating systems and is included by default on most major Linux distributions. The pkexec command, included with Polkit, is used to execute commands with elevated privileges, and has been dubbed the sudo of systemd.

Polkit’s vulnerability, in this instance, is no longer a dormant threat. This common component in Linux-based operating systems has had this lingering vulnerability since its inception in 2009. First utilized in the Fedora operating system, versions of this policy control mechanism have proliferated in various operating systems since then.

The vulnerability allows an attacker, running as a local and unprivileged user, to corrupt memory through a buffer overflow. As the Qualys team has shown, this overflow can then be exploited to obtain full root privileges. In 2013 Ryan Mallon reported this vulnerability and submitted a patch to the maintainers. Mallon was unable to find a way to exploit the vulnerability and the patch was never applied.

The root of this defect lies in command line arguments handling. In C programs on Linux, the first argument (argv[0]) is usually the name of the executable itself. But it is possible to specify an empty list without the executable name by calling the execve function. In such cases if the code relies on the fact that argv[0] always exists it can lead to memory corruption vulnerabilities. This underlying issue in argument handling exists in other binaries, but pkexec is a special case since it is SUID and has a special set of file permissions which allows it to run as the original owner of the file and not the user who ran it.  

We won’t go into all the details here — as they are well documented in the original disclosure — but when there are no arguments to the pkexec command, the list of arguments will be empty, resulting in corrupted memory, thereby allowing attackers to gain full root privileges on the target host.

Patch your system to protect yourself from PwnKit

Exploits for pwnkit are extremely simple, and now exist in the wild. Thankfully patches have been made available extremely quickly, so be sure to install all operating system updates immediately!

If you aren’t able to install operating system updates, a suitable workaround is to remove the SUID bit from pkexec manually using the chmod command:

1chmod 0755 /usr/bin/pkexec

This exploit is a good reminder that severe vulnerabilities can exist undetected for a very long time, even in widely used open source applications whose source code has had many eyeballs on it over a long period of time.

Keeping up to date with security patches is a vital practice for mitigating security threats. If you’re using containers to deploy software, you should consider rolling out updated images that include these operating system patches. If you’re using Snyk Container, you can easily find (and fix) vulnerabilities like PwnKit in your containers. Snyk will direct you to updated base images that fix the problem, or to a fix or patch you can add yourself.

Vulnerable operating systems

RedHat

  • Red Hat Enterprise Linux 6

  • Red Hat Enterprise Linux 7

  • Red Hat Enterprise Linux 8

  • Red Hat Virtualization 4

Ubuntu:

  • Ubuntu 21.10

  • Ubuntu 20.04

  • Ubuntu 18.04

  • Ubuntu 16.04

  • Ubuntu 14.04

Suse:

  • HPE Helion Openstack 8

  • SUSE CaaS Platform 4.0

  • SUSE Enterprise Storage 6

  • SUSE Enterprise Storage 7

  • SUSE Linux Enterprise High Performance Computing 15

  • SUSE Linux Enterprise Micro 5

  • SUSE Linux Enterprise Module for Basesystem 15

  • SUSE Linux Enterprise Server 12

  • SUSE Linux Enterprise Server 15

  • SUSE Linux Enterprise Server for SAP Applications 12

  • SUSE Linux Enterprise Server for SAP Applications 15

  • SUSE Linux Enterprise Software Development Kit 12

  • SUSE Manager Proxy 4

  • SUSE OpenStack Cloud 8

  • SUSE OpenStack Cloud 9

  • SUSE OpenStack Cloud Crowbar 8

  • SUSE OpenStack Cloud Crowbar 9

  • openSUSE Leap 15

Note: SUSE Linux Enterprise 11 is not affected, as it uses the older generation PolicyKit-1.

Security advisories

wordpress-sync/blog-feature-security-alert-purple

How CISOs are Transforming their DevSecOps Strategies

500 devs to 1 security professional is the reality of today. The security pro’s role must transform into an aware, knowledgeable, supportive partner capable of empowering developers to make security decisions.