Pwning the Pwnkit with Confluera

Recently reported CVE-2021–4034 is a vulnerability in pkexec tool from polkit. pkexec is prebuilt into a typical Linux system and is one of the binaries that can elevate privileges to root (using setuid/setgid). Being a common utility, polkit is present on several Linux distributions. Docker containers images also ship with the polkit. Due to the wide distribution of polkit, the vulnerabilities outlined in this blog can have significant security impact in the industry.

Vulnerability

pkexec allows the user to execute commands as another user based on the policy defined by polkit using the setuid feature.

As shown below, pkexec tool’s command line processing logic does not validate for the scenario in which argc can be 0. The default initialized integer variable n allows an out of bound read from argv[1].

int main (int argc, char *argv[]) 
{
for(n=1; n<(guint)argc; n++)
{

}

path = g_strdup(argv[n]);

s = g_find_program_in_path (path);

argv[n] = path = s;
}
Environment variable overlap

As it happens, what follows argv is the envp pointer. The out of bound read of argv, can actually be made to read envp[0]. Subsequently, g_find_program_in_path() searches for a program in the PATH environment variable. Eventually, the program path is set back into argv[1] also overwriting the envp[0].

Effectively, if the PATH is set to “PATH=name=.” and if “name=.” directory also exists, and the directory is made to contain a file named “program”, then the pointer to string “name=./program” is written to out of bound envp[0].

How Confluera is able to detect Pwnkit

Confluera’s technology captures all system call events, both good and bad. It then applies a security analysis on top of these events and identifies possible exploits. It also deterministically stitches both the strong and weak signals to give a full story of the attack.

Confluera’s storyboarding captures the exploit attempt and the privilege escalation itself.

  1. Confluera detects the attempts to exploit CVE-2021–4034 via pkexec
pkexec launched without parameters

2. Post exploit, the privilege escalation is indicated by a shell command execution as root.

Root executed rm

3. Finally, the generic privilege escalation rule detects starting of shell from a setuid/setgid binary

Privilege escalation using setuid binary

4. Confluera’s detection trail presents the process lineage in the view along with command line demonstrating pkexec exploit.

sh command line removing

5. All relevant detections on a single trail including the cleanup actions such as removal of GCONV_PATH= and pwnkit directories

Cleanup of exploit and payload directories

Mitigation

  1. Remove the SUID-bit from pkexec binary as a temporary mitigation
  2. Apply the OS patches as soon as available
  3. Evaluate the usage of pkexec and disable until patches are applied.

Summary

The pkexec vulnerability stems from a command line parsing issue leading to the insecure environment variable in the process. The privilege escalation allows an unprivileged user to get full root privileges.

Confluera’s CxDR platform detects such zero-day attacks and stitches the actions together into execution trails. The storyboarding tracks the detections and evaluates the risk score in real time, delivering curated execution trails to SOC analysts for remediation actions.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store