Major Linux PolicyKit Security Vulnerability Uncovered: Pwnkit

An anonymous reader quotes a report from ZDNet: [S]ecurity company Qualys has uncovered a truly dangerous memory corruption vulnerability in polkit's pkexec, CVE-2021-4034. Polkit, formerly known as PolicyKit, is a systemd SUID-root program. It's installed by default in every major Linux distribution. This vulnerability is easy to exploit. And, with it, any ordinary user can gain full root privileges on a vulnerable computer by exploiting this vulnerability in its default configuration. As Qualsys wrote in its brief description of the problem: 'This vulnerability is an attacker's dream come true.' Why is it so bad? Let us count the ways:
- Pkexec is installed by default on all major Linux distributions. - Qualsys has exploited Ubuntu, Debian, Fedora, and CentOS in their tests, and they're sure other distributions are also exploitable. - Pkexec has been vulnerable since its creation in May 2009 (commit c8c3d83, 'Add a pkexec(1) command'). - An unprivileged local user can exploit this vulnerability to get full root privileges. - Although this vulnerability is technically a memory corruption, it is exploitable instantly and reliably in an architecture-independent way. - And, last but not least, it's exploitable even if the polkit daemon itself is not running.

Red Hat rates the PwnKit as having a Common Vulnerability Scoring System (CVSS) score of 7.8. This is high. This vulnerability, which has been hiding in plain sight for 12+ years, is a problem with how pkexec reads environmental variables. The short version, according to Qualsys, is: 'If our PATH is 'PATH=name=.', and if the directory 'name=.' exists and contains an executable file named 'value', then a pointer to the string 'name=./value' is written out-of-bounds to envp[0].' While Qualsys won't be releasing a demonstration exploit, the company is sure it won't take long for exploits to be available. Frankly, it's not that hard to create a PwnKit attack. It's recommended that you obtain and apply a patch ASAP to protect yourself from this vulnerability.

'If no patches are available for your operating system, you can remove the SUID-bit from pkexec as a temporary mitigation,' adds ZDNet. 'For example, this root-powered shell command will stop attacks: # chmod 0755 /usr/bin/pkexec.'

Read more of this story at Slashdot.