PwnKit: Local Privilege Escalation Vulnerability Discovered in polkit’s pkexec (CVE-2021–4034)

Summary

The Qualys Research Team has discovered a memory corruption vulnerability in polkit’s pkexec, a SUID-root program that is installed by default on every major Linux distribution. This easily exploited vulnerability allows any unprivileged user to gain full root privileges on a vulnerable host by exploiting this vulnerability in its default configuration.

"Polkit (formerly PolicyKit) is a component for controlling system-wide
privileges in Unix-like operating systems. It provides an organized way
for non-privileged processes to communicate with privileged ones. [...]
It is also possible to use polkit to execute commands with elevated
privileges using the command pkexec followed by the command intended to
be executed (with root permission)." (Wikipedia)

You can read more on Qualys’ advisory.

Exploit Proof of Concept

A few hours after the disclosure, arthepsy already published a working exploit in GitHub.

I have tested the exploit and found it working on a default installation of Kali Linux. However, it needs gcc installed to make it work.

For machines that don’t have gcc installed, you can separately compile the Shared Object and the main exploit.

pwnkit.c

Compile this using gcc pwnkit.c -o pwnkit.so -shared -fPIC. The shared object pwnkit.so must be inside a folder named pwnkit.

cve-2021–4034-poc.c

Compile this using gcc cve-2021–4034-poc.c -o cve-2021–4034-poc.

The directory structure must look like this:

gengstah@gengstah:~$ ls -lR | grep "cve\|pwnkit"
-rwxr-x--- 1 gengstah gengstah    16376 Jan 26 22:25 cve-2021-4034-poc
-rw-r----- 1 gengstah gengstah     1268 Jan 26 22:24 cve-2021-4034-poc.c
drwxr-x--- 2 gengstah gengstah     4096 Jan 26 22:35 pwnkit
./pwnkit:
-rw-r----- 1 gengstah gengstah   275 Jan 26 22:34 pwnkit.c
-rwxr-x--- 1 gengstah gengstah 15688 Jan 26 22:35 pwnkit.so

Separating the shared object from the main exploit should have the same effect.