Hackfest Communication Blog

Nouvelles et opinions de la communauté de sécurité informatique

Linux vulnerability lets you be "King of the World"

28 January 2022

Master Lock R00t Password

I woke up this morning to a very interesting news article on BleepingComputer: a new vulnerability has been disclosed that affects almost all the major Linux distributions. It allows any logged in user to easily elevate their privileges to that of root. Like, really easily!

The issue was discovered by Qualys researchers back in November 2021, and through “responsible disclosure” allowed the vendors to issue a patch (note that not ALL distributions have been patched, as you’ll see later). The bug is in the “pkexec” module, part of the “Policy Toolkit” (or Polkit for short) which handles requests to run commands as another user, much like “su”.

As it turns out, it’s an absolutely simple process to bypass pkexec and elevate one’s privileges to that of root. An exploit was published no less than 3 hours after Qualys published their findings. Curious to see if my Kali Linux VM was vulnerable, I did a quick Google search for the code shown in the BleepingComputer article; it literally comes up in 0.39 seconds and is the first link - talk about great SEO!

As you can see from the video below, I compiled the code and ran it, and sure enough: I was root!

Curious to see if Kali had released any updates for it (this VM was last updated about a week ago, as I keep my systems very up-to-date), I ran the full update and tried the exploit again. Unfortunately, it still worked, as the version of pkexec was still 0.105, the same as before the updates.

If your Linux distribution vendor has not yet updated their pkexec module, one mitigation described in the article is simply to strip the Read/Write rights from the file using “chmod 0755 /usr/bin/pkexec”.

This is nowhere as severe as the recent Log4j vulnerability, of course, as it would be highly unlikely that a logged in Linux server would be exposed to the Internet (right???), but it still puts your systems at risk from internal threats, or perhaps even from an outside attacker who is executing lateral movements inside your network. One potential risk is that an organisation might provide login credentials to IT techs to execute simple tasks without necessarily providing them with root access; this exploit allows them to very simply elevate their privileges and potentially cause damage.

Photo credit: schill - licence CC BY