Major Linux PolicyKit Security Vulnerability Uncovered: Pwnkit
An anonymous reader quotes a report from ZDNet: [S]ecurity company Qualys has uncovered a truly dangerous memory corruption vulnerability in polkit's pkexec, CVE-2021-4034. Polkit, formerly known as PolicyKit, is a systemd SUID-root program. It's installed by default in every major Linux distribution. This vulnerability is easy to exploit. And, with it, any ordinary user can gain full root privileges on a vulnerable computer by exploiting this vulnerability in its default configuration. As Qualsys wrote in its brief description of the problem: "This vulnerability is an attacker's dream come true." Why is it so bad? Let us count the ways: - Pkexec is installed by default on all major Linux distributions. - Qualsys has exploited Ubuntu, Debian, Fedora, and CentOS in their tests, and they're sure other distributions are also exploitable. - Pkexec has been vulnerable since its creation in May 2009 (commit c8c3d83, "Add a pkexec(1) command"). - An unprivileged local user can exploit this vulnerability to get full root privileges. - Although this vulnerability is technically a memory corruption, it is exploitable instantly and reliably in an architecture-independent way. - And, last but not least, it's exploitable even if the polkit daemon itself is not running. Red Hat rates the PwnKit as having a Common Vulnerability Scoring System (CVSS) score of 7.8. This is high. [...] This vulnerability, which has been hiding in plain sight for 12+ years, is a problem with how pkexec reads environmental variables. The short version, according to Qualsys, is: "If our PATH is "PATH=name=.", and if the directory "name=." exists and contains an executable file named "value", then a pointer to the string "name=./value" is written out-of-bounds to envp[0]." While Qualsys won't be releasing a demonstration exploit, the company is sure it won't take long for exploits to be available. Frankly, it's not that hard to create a PwnKit attack. It's recommended that you obtain and apply a patch ASAP to protect yourself from this vulnerability. "If no patches are available for your operating system, you can remove the SUID-bit from pkexec as a temporary mitigation," adds ZDNet. "For example, this root-powered shell command will stop attacks: # chmod 0755 /usr/bin/pkexec."
Read more of this story at Slashdot.