PwnKit: “Trivially exploitable” vulnerability found in Linux Polkit’s pkexec tool

Researchers have discovered a “trivially exploitable” local privilege escalation vulnerability in Polkit’s pkexec tool that affects likely every major Linux distribution.

The Qualys Research Team discovered the vulnerability (CVE-2021-4034) dubbed “PwnKit” in polkit’s pkexec, a setuid program installed by default in Linux distributions, and is used to allow an authorized user to execute programs as another user.

An attacker without privileges could exploit this vulnerability to gain root privileges on a vulnerable system.

“Qualys security researchers have been able to independently verify the vulnerability, develop an exploit, and obtain full root privileges on default installations of Ubuntu, Debian, Fedora, and CentOS. Other Linux distributions are likely vulnerable and probably exploitable,” Qualys wrote in a blog post.

Moreover, the researchers added the vulnerability “has been hiding in plain sight for 12+ years” (since pkexec was first introduced in 2009).

Qualys went on to describe the details on how PwnKit works and posted a high level proof-of-concept (PoC) video on a potential exploit path. However, the security firm did not disclose technical PoC details until a permanent patch is available.

“We will not publish our exploit immediately; however, please note that this vulnerability is trivially exploitable, and other researchers might publish their exploits shortly after the patches are available,” Qualys noted in a security advisory.

The security firm added users can also remove the SUID-bit from pkexec as a temporary workaround, such as the following command: ‘# chmod 0755 /usr/bin/pkexec‘.

Red Hat also released a security update RHSB-2022-001 for Polkit Privilege Escalation vulnerability and rated the issue ‘Important’.

Red Hat encourages users to update polkit versions as soon as errata are available or install Red Hat’s workaround mitigation steps provided in the mean time.

Readers may also remember when last year a security researcher discovered a seven-year old polkit privileged escalation vulnerability CVE-2021-3560 that could allow a remote attacker root shell access on Linux systems.