Your Web News in One Place

Help Webnuz

Referal links:

Sign up for GreenGeeks web hosting
January 26, 2022 03:30 am

Major Linux PolicyKit Security Vulnerability Uncovered: Pwnkit

An anonymous reader quotes a report from ZDNet: [S]ecurity company Qualys has uncovered a truly dangerous memory corruption vulnerability in polkit's pkexec, CVE-2021-4034. Polkit, formerly known as PolicyKit, is a systemd SUID-root program. It's installed by default in every major Linux distribution. This vulnerability is easy to exploit. And, with it, any ordinary user can gain full root privileges on a vulnerable computer by exploiting this vulnerability in its default configuration. As Qualsys wrote in its brief description of the problem: "This vulnerability is an attacker's dream come true." Why is it so bad? Let us count the ways: - Pkexec is installed by default on all major Linux distributions. - Qualsys has exploited Ubuntu, Debian, Fedora, and CentOS in their tests, and they're sure other distributions are also exploitable. - Pkexec has been vulnerable since its creation in May 2009 (commit c8c3d83, "Add a pkexec(1) command"). - An unprivileged local user can exploit this vulnerability to get full root privileges. - Although this vulnerability is technically a memory corruption, it is exploitable instantly and reliably in an architecture-independent way. - And, last but not least, it's exploitable even if the polkit daemon itself is not running. Red Hat rates the PwnKit as having a Common Vulnerability Scoring System (CVSS) score of 7.8. This is high. [...] This vulnerability, which has been hiding in plain sight for 12+ years, is a problem with how pkexec reads environmental variables. The short version, according to Qualsys, is: "If our PATH is "PATH=name=.", and if the directory "name=." exists and contains an executable file named "value", then a pointer to the string "name=./value" is written out-of-bounds to envp[0]." While Qualsys won't be releasing a demonstration exploit, the company is sure it won't take long for exploits to be available. Frankly, it's not that hard to create a PwnKit attack. It's recommended that you obtain and apply a patch ASAP to protect yourself from this vulnerability. "If no patches are available for your operating system, you can remove the SUID-bit from pkexec as a temporary mitigation," adds ZDNet. "For example, this root-powered shell command will stop attacks: # chmod 0755 /usr/bin/pkexec."

Read more of this story at Slashdot.


Original Link: https://linux.slashdot.org/story/22/01/25/2259214/major-linux-policykit-security-vulnerability-uncovered-pwnkit?utm_source=rss1.0mainlinkanon&utm_medi

Share this article:    Share on Facebook
View Full Article

Slashdot

Slashdot was originally created in September of 1997 by Rob "CmdrTaco" Malda. Today it is owned by Geeknet, Inc..

More About this Source Visit Slashdot