Jump to content

Linux system service bug gives root on all major distros, exploit released


securitybreach
 Share

Recommended Posts

securitybreach
Quote

 

A vulnerability in Polkit's pkexec component identified as CVE-2021-4034 (PwnKit) is present in the default configuration of all major Linux distributions and can be exploited to gain full root privileges on the system, researchers warn today.

 

CVE-2021-4034 has been named PwnKit and its origin has been tracked to the initial commit of pkexec, more than 12 years ago, meaning that all Polkit versions are affected.

 

Part of the Polkit open-source application framework that negotiates the interaction between privileged and unprivileged processes, pkexec allows an authorized user to execute commands as another user, doubling as an alternative to sudo.

Easy to exploit, PoC expected soon

Researchers at Qualys information security company found that the pkexec program could be used by local attackers to increase privileges to root on default installations of Ubuntu, Debian, Fedora, and CentOS.

 

They warn that PwnKit is likely exploitable on other Linux operating systems as well.

Bharat Jogi, Director of Vulnerability and Threat Research at Qualys explains that PwnKit is “a memory corruption vulnerability in Polkit’s, which allows any unprivileged user to gain full

root privileges on a vulnerable system using default polkit configuration,....”

 

 

https://www.bleepingcomputer.com/news/security/linux-system-service-bug-gives-root-on-all-major-distros-exploit-released/

 

Expect a patch soon.

  • Thanks 1
Link to comment
Share on other sites

abarbarian
10 hours ago, securitybreach said:

 

In that article they have a screen shot,

 

PwnKitExploit.png

 

I tried out the code they gave in the screen shot but it returned this,

 

bloodaxe@BIFROST:~
$ whoami
bloodaxe
bloodaxe@BIFROST:~
$ gcc -o blasty blasty-vs-pkexec.c
gcc: error: blasty-vs-pkexec.c: No such file or directory
gcc: fatal error: no input files
compilation terminated.

 

😂

Link to comment
Share on other sites

securitybreach

In the above example, blasty is the script. If you do not have it downloaded, you can't use it.

 

BTW this is actually minor and can easily be fixed by this workaround until patch is available:

 

sudo chmod 0755 /usr/bin/pkexec

 

Link to comment
Share on other sites

securitybreach
gcc -o blasty blasty-vs.pkexec.c

 

That simply means to run blasty-vs-pkexec.c (the script) and output it to a file called blasty

 

And you really shouldn't be running commands you do not understand what they do. Remember how people used to get screwed over if someone told them to run

 

sudo rm -rvf /

 

Luckily most distros have removed that function. It was fun to see a distro destroy itself.

 

BTW DO NOT RUN THE COMMAND ABOVE unless you want to destroy your installation

  • Like 1
Link to comment
Share on other sites

securitybreach
59 minutes ago, V.T. Eric Layton said:

Polkit upgraded in Slackware as of today.

 

Nice

Link to comment
Share on other sites

abarbarian
19 hours ago, securitybreach said:
gcc -o blasty blasty-vs.pkexec.c

 

That simply means to run blasty-vs-pkexec.c (the script) and output it to a file called blasty

 

And you really shouldn't be running commands you do not understand what they do. Remember how people used to get screwed over if someone told them to run

 

 

sudo rm -rvf /

 

 

Luckily most distros have removed that function. It was fun to see a distro destroy itself.

 

BTW DO NOT RUN THE COMMAND ABOVE unless you want to destroy your installation

 

AH HA I missed that I needed a script.

 

Yeah I figured that you would not post a dodgy article, though you can never be sure. Yup realise the dangers of copying code of the net. Not too bothered if I hose the ToughBook as I use MX's excellent backup tools. Besides I have to have some fun every now and again, I have not hosed a pc in a while.😛

  • Agree 1
Link to comment
Share on other sites

Cluttermagnet
15 hours ago, raymac46 said:

Mint now fixed as well.

 

Fixed in what sense, please? Do I need to do anything?

And I still have one or more copies of obsolete Mint 17 running.

Does that add to my concerns? (Mostly I'm now running Mint 20).

 

Clutter

 

Link to comment
Share on other sites

Update your Mint 20. Not advisable to run obsolete versions of Mint as they don't get security updates.

For them you could try Josh's workaround.

sudo chmod 0755 /usr/bin/pkexec

Remember this is not a concern unless an attacker is actually a user on your machine. If that is the case you have a lot of issues besides the exploit.

  • Like 1
  • Agree 1
Link to comment
Share on other sites

Quote

Remember this is not a concern unless an attacker is actually a user on your machine. If that is the case you have a lot of issues besides the exploit.

So does this mean I'm OK since I'm the only user on all my computers? 

Edited by wa4chq
Link to comment
Share on other sites

abarbarian
41 minutes ago, wa4chq said:

So does this mean I'm OK since I'm the only user on all my computers? 

 

As long as you do not have dissociative identity disorder. 😎

  • Haha 1
Link to comment
Share on other sites

Cluttermagnet
6 hours ago, raymac46 said:

Update your Mint 20. Not advisable to run obsolete versions of Mint as they don't get security updates.

For them you could try Josh's workaround.

sudo chmod 0755 /usr/bin/pkexec

Remember this is not a concern unless an attacker is actually a user on your machine. If that is the case you have a lot of issues besides the exploit.

Phew! OK that is great news then. Other users definitely not a concern

(unless there are burglar hackers- LOL). Thanks!

  • Like 1
  • Agree 1
Link to comment
Share on other sites

8 hours ago, abarbarian said:

 

As long as you do not have dissociative identity disorder. 😎

I do and at the moment, this is not wa4chq.  My handle is Ralph.

  • Haha 2
Link to comment
Share on other sites

abarbarian
12 hours ago, wa4chq said:

I do and at the moment, this is not wa4chq.  My handle is Ralph.

 

Are you sure ? Might be best to set a cron job running "whoami" every five minutes. 🤣

  • Haha 3
Link to comment
Share on other sites

  • 2 weeks later...

so i hate the hullaballoo over this type of thing. It isn't a remote execution issue. if someone has the access to make use of the flaw , then it is game over anyway.   (btw: steve gibson had a nice segment about this flaw.)

 

  • Agree 1
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

×
×
  • Create New...