Unpacking 'PwnKit': The 32-Year-Old Linux Privilege Escalation Vulnerability

In the ever-evolving landscape of cybersecurity, it's rare to hear about a vulnerability that has persisted for decades, silently lurking within foundational software. Yet, in January 2022, security researchers at Qualys unveiled just such a flaw: a 32-year-old local privilege escalation bug dubbed "PwnKit" (CVE-2021-4034). This critical vulnerability, present in the pkexec utility of Polkit (formerly PolicyKit), sent ripples through the Linux community, affecting virtually every major distribution.

What is Polkit and pkexec?

Before diving into the vulnerability, it's crucial to understand the role of Polkit and its pkexec utility. Polkit is a component for controlling system-wide privileges in Unix-like operating systems. It provides a structured way for non-privileged processes to communicate with privileged ones. Think of it as a gatekeeper that allows or denies access to system services based on predefined policies.

pkexec is a command-line utility that is part of Polkit. Its primary function is to allow an authorized user to execute commands as another user, similar in concept to sudo. However, pkexec is designed to be more granular, allowing administrators to define very specific policies for which users can run which commands with elevated privileges.

For example, instead of giving a user full sudo access, an administrator might configure Polkit to only allow a specific user to run a particular system command with root privileges via pkexec.

The PwnKit Vulnerability (CVE-2021-4034): A Deep Dive

The PwnKit vulnerability stems from an out-of-bounds write in the pkexec utility. Specifically, it exploits how pkexec handles command-line arguments. The flaw is rooted in a fundamental misunderstanding or oversight in how the execve() system call (which pkexec uses to execute other programs) interacts with the argument list (argv) and environment variables (envp).

The Technical Details

When a program is executed, execve() passes two arrays: argv (argument vector) and envp (environment vector). Both are null-terminated arrays of strings. pkexec's code attempts to iterate through these arrays.

The vulnerability arises because pkexec's code mishandles the argv array when it's called with zero arguments (i.e., argv[1] is NULL). In this specific scenario, the code incorrectly tries to process argv[1] as if it were a valid argument. This leads to pkexec reading beyond the end of the argv array and into the envp array, which immediately follows argv in memory.

By carefully crafting the environment variables, an attacker can manipulate this out-of-bounds read to perform an out-of-bounds write. This allows them to overwrite critical internal data structures within pkexec's memory. The most impactful exploit involves overwriting the g_printerr() function pointer, which pkexec uses for error messages. By redirecting this pointer to a malicious shared library (.so file) controlled by the attacker, they can trick pkexec into loading and executing arbitrary code with root privileges.

Why 32 Years?

The pkexec utility has been part of Polkit since its inception, and the underlying logic that led to this vulnerability has existed for over three decades. The flaw remained undetected for so long due to a combination of factors:

• Subtlety: The bug only manifests under very specific conditions (zero arguments to pkexec and carefully crafted environment variables).
• Complexity: Understanding the intricacies of execve(), memory layout, and argv/envp interaction requires deep system-level knowledge.
• Focus on sudo: sudo has historically been the more scrutinized utility for privilege escalation, drawing more attention from security researchers.

Impact and Severity

PwnKit is classified as a local privilege escalation vulnerability. This means an attacker must already have unprivileged access to a system to exploit it. However, once exploited, it grants the attacker full root privileges, allowing them to take complete control of the compromised system, install malware, steal data, or disrupt services.

The severity of PwnKit is extremely high because:

1. Ubiquity: Polkit and pkexec are installed by default on virtually all major Linux distributions (Ubuntu, Debian, Fedora, CentOS, RHEL, Arch Linux, etc.).
2. Ease of Exploitation: The vulnerability is relatively easy to exploit, with public proof-of-concept code quickly becoming available after its disclosure.
3. No Configuration Required: The flaw exists in the default configuration of pkexec, meaning no specific misconfiguration is needed for it to be exploitable.

How to Check and Mitigate PwnKit

Checking for the Vulnerability

The easiest way to determine if your system is vulnerable is to check the version of Polkit installed. Most distributions released patches very quickly. You can check your Polkit version using your distribution's package manager.

For Debian/Ubuntu:

For RHEL/CentOS/Fedora:

For Arch Linux:

Look for the installed version number. If it's older than the patched version for your distribution (e.g., 0.105-31+deb11u1 for Debian 11, 0.105-30.el8_5.2 for RHEL 8, 0.105-33.fc35.1 for Fedora 35, 0.105-26ubuntu1.2 for Ubuntu 20.04), you are likely vulnerable.

Mitigation Steps

1. Update Your System Immediately:

This is the most critical step. Distribution maintainers released patches very quickly. Applying these updates will install the fixed version of Polkit and remove the vulnerability.

For Debian/Ubuntu:

For RHEL/CentOS/Fedora:

For Arch Linux:

2. Reboot (Recommended):

While some systems might not strictly require a reboot for the pkexec fix to take effect, it's always a good practice after applying critical security updates, especially for core system components, to ensure all services are running the patched binaries.

3. Temporary Workaround (If Immediate Patching is Not Possible):

If for some reason you cannot patch your system immediately, a temporary workaround involves removing the SUID bit from the pkexec binary. This prevents any user from executing pkexec with elevated privileges, effectively disabling its functionality. Be aware that this might break legitimate system functions that rely on pkexec.

To revert this workaround after patching:

It is strongly advised to patch your system rather than relying on this workaround.

Lessons Learned from PwnKit

The discovery of PwnKit serves as a potent reminder of several key cybersecurity principles:

• The Age of Code Doesn't Guarantee Security: Old, battle-tested code can still harbor critical flaws. Assumptions made decades ago might not hold true under modern scrutiny.
• Importance of Fuzzing and Static Analysis: While this bug was found manually, advanced fuzzing techniques and static analysis tools are increasingly crucial for uncovering deep-seated vulnerabilities in complex codebases.
• Layered Security is Key: Even with a critical local privilege escalation, other security layers (e.g., network firewalls, strong authentication, minimal service exposure) can limit an attacker's initial access.
• Prompt Patching is Paramount: The speed with which distributions released patches and the importance of users applying them highlights the collaborative effort required to maintain system security.

PwnKit stands as a testament to the continuous challenge of securing complex software systems. While its discovery was unsettling, the rapid response from the Linux community reinforces the strength and vigilance that underpins the open-source ecosystem. Stay updated, stay secure.