PwnKit: Local Privilege Escalation Vulnerability Discovered in polkit’s pkexec (CVE-2021–4034)

Summary

The Qualys Research Team has discovered a memory corruption vulnerability in polkit’s pkexec, a SUID-root program that is installed by default on every major Linux distribution. This easily exploited vulnerability allows any unprivileged user to gain full root privileges on a vulnerable host by exploiting this vulnerability in its default configuration.

"Polkit (formerly PolicyKit) is a component for controlling system-wide
privileges in Unix-like operating systems. It provides an organized way
for non-privileged processes to communicate with privileged ones. [...]
It is also possible to use polkit to execute commands with elevated
privileges using the command pkexec followed by the command intended to
be executed (with root permission)." (Wikipedia)

You can read more on Qualys’ advisory.

Exploit Proof of Concept

A few hours after the disclosure, arthepsy already published a working exploit in GitHub.

I have tested the exploit and found it working on a default installation of Kali Linux. However, it needs gcc installed to make it work.

For machines that don’t have gcc installed, you can separately compile the Shared Object and the main exploit.

pwnkit.c

Compile this using gcc pwnkit.c -o pwnkit.so -shared -fPIC. The shared object pwnkit.so must be inside a folder named pwnkit.

cve-2021–4034-poc.c

Compile this using gcc cve-2021–4034-poc.c -o cve-2021–4034-poc.

The directory structure must look like this:

gengstah@gengstah:~$ ls -lR | grep "cve\|pwnkit"
-rwxr-x--- 1 gengstah gengstah 16376 Jan 26 22:25 cve-2021-4034-poc
-rw-r----- 1 gengstah gengstah 1268 Jan 26 22:24 cve-2021-4034-poc.c
drwxr-x--- 2 gengstah gengstah 4096 Jan 26 22:35 pwnkit
./pwnkit:
-rw-r----- 1 gengstah gengstah 275 Jan 26 22:34 pwnkit.c
-rwxr-x--- 1 gengstah gengstah 15688 Jan 26 22:35 pwnkit.so

Separating the shared object from the main exploit should have the same effect.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store