👾 Qualys Security Advisory. pwnkit: Local Privilege Escalation in polkit's pkexec (CVE-2021-4034).
https://www.openwall.com/lists/oss-security/2022/01/25/11
This vulnerability is an attacker's dream come true:
- pkexec is installed by default on all major Linux distributions (we exploited Ubuntu, Debian, Fedora, CentOS, and other distributions are probably also exploitable);
- pkexec is vulnerable since its creation, in May 2009 (commit c8c3d83, "Add a pkexec(1) command"); - any unprivileged local user can exploit this vulnerability to obtain full root privileges;
- although this vulnerability is technically a memory corruption, it is exploitable instantly, reliably, in an architecture-independent way;
- and it is exploitable even if the polkit daemon itself is not running.
We will not publish our exploit immediately; however, please note that this vulnerability is trivially exploitable, and other researchers might
publish their exploits shortly after the patches are available. If no patches are available for your operating system, you can remove the SUID-bit from pkexec as a temporary mitigation; for example:
#security #pkexec #polkit
https://www.openwall.com/lists/oss-security/2022/01/25/11
This vulnerability is an attacker's dream come true:
- pkexec is installed by default on all major Linux distributions (we exploited Ubuntu, Debian, Fedora, CentOS, and other distributions are probably also exploitable);
- pkexec is vulnerable since its creation, in May 2009 (commit c8c3d83, "Add a pkexec(1) command"); - any unprivileged local user can exploit this vulnerability to obtain full root privileges;
- although this vulnerability is technically a memory corruption, it is exploitable instantly, reliably, in an architecture-independent way;
- and it is exploitable even if the polkit daemon itself is not running.
We will not publish our exploit immediately; however, please note that this vulnerability is trivially exploitable, and other researchers might
publish their exploits shortly after the patches are available. If no patches are available for your operating system, you can remove the SUID-bit from pkexec as a temporary mitigation; for example:
# chmod 0755 /usr/bin/pkexecНу какова красота.
#security #pkexec #polkit