The game of attack and detect
CVE 2021–4034 : Local Privilege Escalation Vulnerability on polkit’s pkexec utility.
Let’s play a game of attack and detect. Let’s imagine here you are the an attacker and I’m a victim but …… I’ll detect you down. Shall we begin the game now?
Description of the vulnerablity
A local privilege escalation vulnerability was found on polkit’s pkexec utility. The pkexec application is a setuid tool designed to allow unprivileged users to run commands as privileged users according predefined policies. The current version of pkexec doesn’t handle the calling parameters count correctly and ends trying to execute environment variables as commands. An attacker can leverage this by crafting environment variables in such a way it’ll induce pkexec to execute arbitrary code. When successfully executed the attack can cause a local privilege escalation given unprivileged users administrative rights on the target machine.
Let’s check the pkexec’s version
Exploiting and gaining root access:
After running the command whoami we are assigned with simple user i.e we have no access as a root privileges. Only root account has root privileges. This means that we can’t read and write any files on the system, perform operations as any user, change system configuration, install and remove software, and upgrade the operating system and/or firmware.
As soon as we ran the exploit we were able to gain root access. Now we can read and write any files on the system. This is all because an attacker can take advantage of memory corruption without needing to control the instruction pointer (EIP in x86 assembly). It is a typical memory-based attack like a heap overflow.
Let’s find user account information’s
We are able to see user account information successfully
Let’s find out system’s users passwords.
Also, we were able to find system’s user password
Let’s view the logs now
Let’s detect attacker’s activities
For detection purpose, I have used wazuh as Endpoint detection and response (EDR), An integrated endpoint security solution that combines real-time continuous monitoring and collection of endpoint data with rules-based automated response and analysis capabilities.Wazuh agent is deployed on those server or PC’s that need to be monitored and then those logs are sent to wazuh manager for that analyzes the data received from all registered agents and triggers alerts when an event coincides with a rule, for example: intrusion detected, file modified, configuration not in accordance with the policy, possible rootkit, among others, and filebeat is used as a shipper for forwarding and centralizing log data and at last ELK stack is used to query the search and displayed in the kibana.
Having access to valid accounts is sometimes the only thing separating an adversary from the legit user, or even a help on a system. By utilizing Valid Accounts an attacker or adversary can frequently go undetected inside the environment
Here, adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems which allows unprivileged attackers to execute commands with elevated privileges on a local Linux system.
PwnKit vulnerability requires a local user on the victim’s operating system and is categorized under MITRE ATT&CK TA0004 Privilege Escalation tactics. The CVSSv3 base score for CVE-2021–4034 is 7.8 High
Mitigation —
Follow this link — https://access.redhat.com/security/cve/CVE-2021-4034
Link to resources