Analyzing the PwnKit local privilege escalation exploit
Kyle Suero
January 29, 2022
0 mins readWhat do Linux vulnerabilities and natural disasters have in common? Something seemingly dormant can suddenly spring to life, exposing activity beneath the surface. Several days ago, a security researcher published a high-severity vulnerability named PwnKit that impacts most major Linux distributions. The scary part? It has existed since May of 2009.
Polkit is a component for controlling privileges in Unix-like operating systems and is included by default on most major Linux distributions. The pkexec
command, included with Polkit, is used to execute commands with elevated privileges, and has been dubbed the sudo of systemd.
Polkit’s vulnerability, in this instance, is no longer a dormant threat. This common component in Linux-based operating systems has had this lingering vulnerability since its inception in 2009. First utilized in the Fedora operating system, versions of this policy control mechanism have proliferated in various operating systems since then.
The vulnerability allows an attacker, running as a local and unprivileged user, to corrupt memory through a buffer overflow. As the Qualys team has shown, this overflow can then be exploited to obtain full root privileges. In 2013 Ryan Mallon reported this vulnerability and submitted a patch to the maintainers. Mallon was unable to find a way to exploit the vulnerability and the patch was never applied.
The root of this defect lies in command line arguments handling. In C programs on Linux, the first argument (argv[0]
) is usually the name of the executable itself. But it is possible to specify an empty list without the executable name by calling the execve
function. In such cases if the code relies on the fact that argv[0]
always exists it can lead to memory corruption vulnerabilities. This underlying issue in argument handling exists in other binaries, but pkexec
is a special case since it is SUID and has a special set of file permissions which allows it to run as the original owner of the file and not the user who ran it.
We won’t go into all the details here — as they are well documented in the original disclosure — but when there are no arguments to the pkexec
command, the list of arguments will be empty, resulting in corrupted memory, thereby allowing attackers to gain full root privileges on the target host.
Patch your system to protect yourself from PwnKit
Exploits for pwnkit are extremely simple, and now exist in the wild. Thankfully patches have been made available extremely quickly, so be sure to install all operating system updates immediately!
If you aren’t able to install operating system updates, a suitable workaround is to remove the SUID bit from pkexec
manually using the chmod
command:
1chmod 0755 /usr/bin/pkexec
This exploit is a good reminder that severe vulnerabilities can exist undetected for a very long time, even in widely used open source applications whose source code has had many eyeballs on it over a long period of time.
Keeping up to date with security patches is a vital practice for mitigating security threats. If you’re using containers to deploy software, you should consider rolling out updated images that include these operating system patches. If you’re using Snyk Container, you can easily find (and fix) vulnerabilities like PwnKit in your containers. Snyk will direct you to updated base images that fix the problem, or to a fix or patch you can add yourself.
Developer-first container security
Snyk finds and automatically fixes vulnerabilities in container images and Kubernetes workloads.
Vulnerable operating systems
RedHat
Red Hat Enterprise Linux 6
Red Hat Enterprise Linux 7
Red Hat Enterprise Linux 8
Red Hat Virtualization 4
Ubuntu:
Ubuntu 21.10
Ubuntu 20.04
Ubuntu 18.04
Ubuntu 16.04
Ubuntu 14.04
Suse:
HPE Helion Openstack 8
SUSE CaaS Platform 4.0
SUSE Enterprise Storage 6
SUSE Enterprise Storage 7
SUSE Linux Enterprise High Performance Computing 15
SUSE Linux Enterprise Micro 5
SUSE Linux Enterprise Module for Basesystem 15
SUSE Linux Enterprise Server 12
SUSE Linux Enterprise Server 15
SUSE Linux Enterprise Server for SAP Applications 12
SUSE Linux Enterprise Server for SAP Applications 15
SUSE Linux Enterprise Software Development Kit 12
SUSE Manager Proxy 4
SUSE OpenStack Cloud 8
SUSE OpenStack Cloud 9
SUSE OpenStack Cloud Crowbar 8
SUSE OpenStack Cloud Crowbar 9
openSUSE Leap 15
Note: SUSE Linux Enterprise 11 is not affected, as it uses the older generation PolicyKit-1.