Pwnkit Local Linux Privesc Affecting Most Distros CVE-2021–4034 (12-year-old vulnerability?!)
WhoAmI
Hey I am Nour, I am a Second Year Software Engineering student who is interested in cyber security especially red teaming, and I am an “IBM Cyber Security Student Community” Leader where we learn cyber security together, also I am an AWS Community Builder and a CTF player (Try Hack Me)
and today we will talk about a very easy way to become root in most Linux distros
NOTE: This Is For Educational Purposes Only
Introduction
Who found the vulnerability?
- The Qualys Research Team
What is the vulnerability?
- It is a memory corruption vulnerability in polkit’s pkexec
But what is polkit’s pkexec?
- SUID-root program that is installed by default on every major Linux distribution (Ubuntu, Debian, Fedora, CentOS, …)
- It provides an organized way for non-privileged processes to communicate with privileged processes
How does it work?
The out-of-bounds write enables the reintroduction of “unsecure” environment variables into pkexec’s environment and this leads to becoming root (For more information you can read the official blog)
Quick Patch for PWNKIT
chmod 0755 /usr/bin/pkexec
PoC
Resources
- The official blog by Qualys
- Official PoC
- PoC by Arthepsy (Including the script)
Newsletter
I will be sharing my learning journey, cyber security news, new CVEs and study resources, and more, feel free to subscribe 😊 and please don’t forget to drink water 🌊