Rooted another OSCP machine this morning. There is no other exploit that has been more widespread and easy to leverage than pwnkit (CVE-2021-4034). I've simply lost count of the the number of machines I've been able to use this on to get root access from a low-privilege account. For people who do this kind of stuff, this post is a cold take, but I just wanted to come here and state the obvious. #OSCP #pwnkit #polkit #CVE-2021-4034 #Linux #pkexec #setuid

From the Ubuntu website: "A local privilege escalation vulnerability was found on polkit’s pkexec utility. The pkexec application is a setuid tool designed to allow unprivileged users to run commands as privileged users according predefined policies. The current version of pkexec doesn’t handle the calling parameters count correctly and ends trying to execute environment variables as commands. An attacker can leverage this by crafting environment variables in such a way it’ll induce pkexec to execute arbitrary code. When successfully executed the attack can cause a local privilege escalation given unprivileged users administrative rights on the target machine."

@debacle @xpac: #pkexec alleine ist schon grusig, siehe z.B. CVE-2021-4034. Und da dann noch #JavaScript dahinter? 🤮

Gut, dass man auch sehr gut ohne #PolicyKit, #sudo und ähnliche #LPE-anfällige Programme leben kann — auch auf dem #Linux #Desktop.

Should blame be placed solely on the C programming language for CVE-2021-4034?

#infosec #pkexec #pwnkit

Major Bug Grants Root for All Major Linux Distributions

One of the major reasons behind choosing Linux as an operating system is that it's much more secure than Windows. There are plenty of reasons for this including appropriate user permissions, installing software from trusted sources and, of course, the fact that most software for Linux including the Linux kernel itself is open source which allows anyone to review the code for vulnerabilities. This doesn't mean that Linux is perfectly secure though, as researchers recently found a major bug found in most major Linux distributions that allows anyone to run code as the root user.

The exploit is a memory corruption vulnerability in Polkit, a framework that handles the privilege level of various system processes. It specifically impacts the program pkexec. With the proof-of-concept exploit (file download warning) in hand, all an attacker needs to do to escalate themselves to root is to compile the program on the computer and run it as the default user. An example is shown by [Jim MacDonald] on Twitter for those not willing to try this on their own machines.

As bad as this sounds, it seems as though all of the major distributions that this impacts have already released updates that patch the issue, including Debian, Ubuntu, Red Hat, Fedora, open SUSE, and Arch. There is also a temporary workaround that removes read/write permission from the pkexec program so it can't run at all. That being said, it might be best to check that your Linux systems are all up-to-date and that no strangers have been typing random commands into the terminal recently.

#linuxhacks #securityhacks #admin #exploit #linux #patch #pkexec #polkit #root #security #update #vulnerability

"we note that #OpenBSD is not exploitable, because its kernel refuses to execve() a program if argc is 0."

https://blog.qualys.com/vulnerabilities-threat-research/2022/01/25/pwnkit-local-privilege-escalation-vulnerability-discovered-in-polkits-pkexec-cve-2021-4034
#pwnkit #polkit #pkexec #itsec

Taking inspiration from the #OpenBSD camp, #HardenedBSD now rejects execve(argc==0) attempts: https://git.hardenedbsd.org/hardenedbsd/HardenedBSD/-/commit/b6495ff2ff4135f951619c28aa321b6c5ad550b9

This mitigates types of vulnerabilities like that of #pkexec (CVE-2021-4034).

#infosec