By security practitioners, for security practitioners novacoast federal | Pillr | novacoast | about innovate
By security practitioners, for security practitioners

PwnKit Local Privilege Escalation Bug Plagues Linux Distributions

1/27/2022 23:23 GMT

CVE-2021-4034 | CVSS 7.8

An argument-parsing bug in the pkexec utility from the PolKit package allows easy-to-exploit local privilege escalation on vulnerable Linux systems. PolKit is included with most Linux distribution default installations. An update should be installed ASAP to mitigate.

What’s the nature of the vulnerability?

pkexec is a utility that comes with PolKit (formerly PolicyKit) that allows a lower privileged user to run commands as root, similar to the more well-known sudo command. PolKit ships with many modern Linux distributions as part of a default installation, which what makes this particular vulnerability a concern. The bug has been hiding in plain sight as part of the project’s initial commit in 2009 until researchers from Qualys discovered it and covered it on their blog.

While not exploitable remotely, the vulnerability now dubbed PwnKit and tracked as CVE-2021-4034 makes a perfect complement to other remote RCE bugs such as Log4Shell which plagues Apache’s Log4j library. Once commands can be executed on a system as root, opportunities abound for compromising the host. POC code has already been published in several public repositories.

Qualys security researchers verified exploitation of the vulnerability and obtained full root privileges on default installations of Ubuntu, Debian, Fedora, and CentOS. While not all Linux distributions come with PolKit installed by default, it is wise to verify for whichever flavor you might be running. It is often a requirement for running a desktop environment like KDE or Gnome.

How does the exploit work?

PwnKit is a memory corruption vulnerability allowing an out-of-bounds write. The vulnerable version of pkexec doesn’t handle the parameter count correctly and tries to execute environment variables as commands. An attacker can leverage this by crafting environment variables in such a way that it causes pkexec to execute arbitrary code. [1]

A comprehensive explanation of exploiting the memory corruption vector is covered in the Qualys blog post.

Which versions of PolKit are affected?

All versions of polkit or policykit prior to the latest update are vulnerable. Package managers for major Linux distributions should already have patches available.

Actual version numbers of the fixed pkexec version may be difficult to find, as the fixes are backported as patches (in this case a2bf5c9c) to the source code.

How to fix it?

The most effective fix is to apply patches available from your Linux distribution’s package management. The Qualys disclosure was coordinated with the patched versions becoming available.

If patching via package manager is not available, a simple temporary mitigation is to remove the SUID-bit from pkexec:

# chmod 0755 /usr/bin/pkexec

How to search for evidence of exploitation?

If an attacker doesn’t care about maintaining persistence or residence in a compromised system, they may not bother to wipe the logs, in which case the following errors may be found:

The value for the SHELL variable was not found the /etc/shells file
The value for environment variable ______ contains suspicious content
Keywords for hunting

If hunting using a queryable EDR product, searching for the following may turn up evidence of compromise:

sudo chsh -s /bin/bash

Avertium has published a short list of IoC hashes:

  • MD5sum
    • 361f79031dd61b56a6d352d5640ec08a pwnkit.c
    • 4cd09130cbe69df24e7ab80f6d2b48a7 pwnkit
  • sha256sum
    • 19766c7da5202548e92b7bee2f48c6bbb4a4dd44bb214ed1eb36656a27b008a0 pwnkit.c
    • c2ac768a8a1ffd5d99dd539c7aed8b626b804e5986797ec4ef3d88b4c6de1811 pwnkit
  • sha1sum
    • ced0ff14fd053db32d5126905b9f73ea6ea47183 pwnkit.c
    • ddf4b822c5a4004aa3ae9244a55ae490330e9fcf pwnkit
Sigma rule

The Sigma rule below comes from the Avertium advisory on CVE-2021-4034. Effectiveness may vary.

title: pwnkit - Local Privilege Escalation in polkit's pkexec (CVE-2021-4034)

status: test

description: Detects suspicious shell commands used pwnkit exploit - Local Privilege
Escalation in polkit's pkexec (CVE-2021-4034) this exploitation technique leaves
traces in the logs. However, please note that this vulnerability is also exploitable
without leaving any traces in the logs

author: Avertium CTI



date: 2022/1/25


product: linux



    # Important: this exploitation technique leaves traces in the logs,
    # However, please note that this vulnerability is also exploitable without
    # leaving any traces in the logs.

  - 'The value for the SHELL variable was not found the /etc/shells file'
  - 'The value for environment variable * contains suspicious content'

condition: keywords


  - Unknown

level: high

  - attack.execution
  - attack.t1059.004


  1. RedHat Security Advisory on PwnKit
  2. Qualys Blog Entry on PolKit vulnerability
  3. PolKit project repository / patch commit
  4. Avertium advisory

Previous Post

How To Become a Penetration Tester: A DIY Guide

Next Post

Quantifying Cybersecurity Risk and Uncertainty

Innovate uses cookies to give you the best online experience. If you continue to use this site, you agree to the use of cookies. Please see our privacy policy for details.