PwnKit
CVE-2021-4034
Last updated
CVE-2021-4034
Last updated
CVE-2021-4034 (pwnkit) was discovered by researchers at Qualys. The vulnerability has existed in every version of the "Policy Toolkit" (or, Polkit) package since it was first released in 2009 and allows any unprivileged attacker to easily obtain full administrative access over any Linux machine with the Polkit package installed. Polkit is installed by default on most distributions of Linux, making this vulnerability extremely widespread. The Pwnkit vulnerability exists in the pkexec utility. The pkexec command is used by authorized users to execute commands at elevated privileges (like using sudo).
Pkexec attempts to parse any command-line arguments that we pass it using a for-loop, starting at the index 1 to offset the name of the program and obtain the first real argument. The name of the program is irrelevant to argument parsing, so the indexing is simply offset to ignore it. But if we don't provide any arguments, the index is permanently set to 1. This becomes a problem later when pkexec attempts to write to the value of the argument at index n. As there are no command-line arguments, there is no argument at index n — instead the program overwrites the next thing in memory, which just so happens to be the first value in the list of environment variables when the program is called using a C function called execve(). In other words, by passing pkexec a null list of arguments, we can force it to overwrite an environment variable instead! - TryHackMe
To make the PwnKit exploit working. The SUID bit on the pkexec binary must be set
Check if the policykit package is vulnerable
Here is a summary table of patched versions by OS. Earlier versions are vulnerable
| OS Version | Patched version |
|---|---|
CentOS 7
polkit-0.112-26.el7_9.1
CentOS 8
polkit-0.115-13.el8_5.1
Debian 9
policykit-1_0.105-18+deb9u2
Debian 10
policykit-1_0.105-25+deb10u1
Debian 11
policykit-1_0.105-31+deb11u1
Oracle Linux 6
polkit-0.96-11.0.1.el6_10.1
Oracle Linux 7
polkit-0.112-26.0.1.el7_9.1
Oracle Linux 8
polkit-0.115-13.0.1.el8_5.1
SUSE Linux Enterprise Server 12
polkit-debugsource-0.113-5.24.1
SUSE Linux Enterprise Server 15 LTSS et SP1
polkit-debugsource-0.116-3.6.1
SUSE Linux Enterprise Server 15 SP2
polkit-debugsource-0.114-3.15.1
Red Hat 6
polkit-0.96-11.el6_10.2
Red Hat 7
polkit-0.112-26.el7_9.1
Red Hat 8
polkit-0.115-13.el8_5.1
Ubuntu 18.04
policykit-1-0.105-20ubuntu0.18.04.6
Ubuntu 20.04
policykit-1-0.105-26ubuntu1.2
Ubuntu 21.10
policykit-1-0.105-31ubuntu0.1
Fedora 34
polkit-0.117-3.fc34.2
Fedora 35
polkit-0.120-1.fc35.1
Anolis OS 7
polkit-0.112-26.an7.1
Anolis OS 8
polkit-0.115-13.an8_5.1
Alibaba Cloud Linux 2
polkit-0.112-26.3.al7.1
Alibaba Cloud Linux 3
polkit-0.115-13.al8.1
