1/27/2022 23:23 GMT
CVE-2021-4034 | CVSS 7.8
An argument-parsing bug in the
pkexec utility from the PolKit package allows easy-to-exploit local privilege escalation on vulnerable Linux systems. PolKit is included with most Linux distribution default installations. An update should be installed ASAP to mitigate.
What’s the nature of the vulnerability?
pkexec is a utility that comes with PolKit (formerly PolicyKit) that allows a lower privileged user to run commands as root, similar to the more well-known
sudo command. PolKit ships with many modern Linux distributions as part of a default installation, which what makes this particular vulnerability a concern. The bug has been hiding in plain sight as part of the project’s initial commit in 2009 until researchers from Qualys discovered it and covered it on their blog.
While not exploitable remotely, the vulnerability now dubbed PwnKit and tracked as CVE-2021-4034 makes a perfect complement to other remote RCE bugs such as Log4Shell which plagues Apache’s Log4j library. Once commands can be executed on a system as root, opportunities abound for compromising the host. POC code has already been published in several public repositories.
Qualys security researchers verified exploitation of the vulnerability and obtained full root privileges on default installations of Ubuntu, Debian, Fedora, and CentOS. While not all Linux distributions come with PolKit installed by default, it is wise to verify for whichever flavor you might be running. It is often a requirement for running a desktop environment like KDE or Gnome.
How does the exploit work?
PwnKit is a memory corruption vulnerability allowing an out-of-bounds write. The vulnerable version of
pkexec doesn’t handle the parameter count correctly and tries to execute environment variables as commands. An attacker can leverage this by crafting environment variables in such a way that it causes
pkexec to execute arbitrary code. 
A comprehensive explanation of exploiting the memory corruption vector is covered in the Qualys blog post.
Which versions of PolKit are affected?
All versions of
policykit prior to the latest update are vulnerable. Package managers for major Linux distributions should already have patches available.
Actual version numbers of the fixed
pkexec version may be difficult to find, as the fixes are backported as patches (in this case
a2bf5c9c) to the source code.
How to fix it?
The most effective fix is to apply patches available from your Linux distribution’s package management. The Qualys disclosure was coordinated with the patched versions becoming available.
If patching via package manager is not available, a simple temporary mitigation is to remove the SUID-bit from
# chmod 0755 /usr/bin/pkexec
How to search for evidence of exploitation?
If an attacker doesn’t care about maintaining persistence or residence in a compromised system, they may not bother to wipe the logs, in which case the following errors may be found:
The value for the SHELL variable was not found the /etc/shells file
The value for environment variable ______ contains suspicious content
Keywords for hunting
If hunting using a queryable EDR product, searching for the following may turn up evidence of compromise:
sudo chsh -s /bin/bash
Avertium has published a short list of IoC hashes:
- 361f79031dd61b56a6d352d5640ec08a pwnkit.c
- 4cd09130cbe69df24e7ab80f6d2b48a7 pwnkit
- 19766c7da5202548e92b7bee2f48c6bbb4a4dd44bb214ed1eb36656a27b008a0 pwnkit.c
- c2ac768a8a1ffd5d99dd539c7aed8b626b804e5986797ec4ef3d88b4c6de1811 pwnkit
- ced0ff14fd053db32d5126905b9f73ea6ea47183 pwnkit.c
- ddf4b822c5a4004aa3ae9244a55ae490330e9fcf pwnkit
The Sigma rule below comes from the Avertium advisory on CVE-2021-4034. Effectiveness may vary.
title: pwnkit - Local Privilege Escalation in polkit's pkexec (CVE-2021-4034) status: test description: Detects suspicious shell commands used pwnkit exploit - Local Privilege Escalation in polkit's pkexec (CVE-2021-4034) this exploitation technique leaves traces in the logs. However, please note that this vulnerability is also exploitable without leaving any traces in the logs author: Avertium CTI references: - https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt date: 2022/1/25 logsource: product: linux detection: keywords: # Important: this exploitation technique leaves traces in the logs, # However, please note that this vulnerability is also exploitable without # leaving any traces in the logs. - 'The value for the SHELL variable was not found the /etc/shells file' - 'The value for environment variable * contains suspicious content' condition: keywords falsepositives: - Unknown level: high tags: - attack.execution - attack.t1059.004
- RedHat Security Advisory on PwnKit
- Qualys Blog Entry on PolKit vulnerability
- PolKit project repository / patch commit
- Avertium advisory