PwnKit: Unpacking the Six-Year-Old Polkit Vulnerability That Just Got Worse

In the world of Linux and open-source software, security vulnerabilities are a constant concern. While some flaws are patched quickly, others can linger for years, only to be rediscovered with more severe implications. Such is the case with PwnKit (CVE-2021-4034), a critical privilege escalation vulnerability in Polkit's pkexec utility that has been present for over six years and affects virtually all major Linux distributions.

This blog post will delve into the technical details of PwnKit, explain why it's so dangerous, discuss its widespread impact, and provide practical steps for system administrators and users to protect their systems.

What is Polkit and pkexec?

Before we dive into the vulnerability itself, let's understand the components involved:

Polkit (formerly PolicyKit) is a component used in Linux and Unix-like operating systems to control system-wide privileges. It provides a structured way for non-privileged processes to communicate with privileged ones. Essentially, it defines and handles policies that allow or deny actions based on user identity, group membership, and other criteria.

pkexec is a utility provided by Polkit that allows an authorized user to execute commands as another user, similar to sudo. However, unlike sudo, pkexec does not consult the /etc/sudoers file. Instead, it relies on Polkit policies to determine if a user is authorized to run a command as another user. It's designed to be a more granular and flexible way to manage privileges for specific applications or actions.

For example, if you want to run a graphical application that requires root privileges, pkexec might be used to launch it with elevated permissions after authenticating the user through a graphical prompt.

The PwnKit Vulnerability (CVE-2021-4034)

PwnKit is a local privilege escalation vulnerability. This means an attacker must already have access to the system as a regular, unprivileged user. Once they have this initial foothold, they can exploit PwnKit to elevate their privileges to root, gaining full control over the system.

The flaw lies in how pkexec handles command-line arguments. Specifically, it's a memory corruption vulnerability—a buffer overflow—in the main() function of pkexec. The vulnerability arises because pkexec attempts to process command-line arguments (argv) and environment variables (envp) in an unsafe manner.

Technical Deep Dive

When pkexec is executed, it processes its arguments. The core issue is that pkexec expects certain environment variables to be set up correctly, but it doesn't properly validate them. An attacker can craft a malicious argv array (command-line arguments) and envp array (environment variables) to trigger the buffer overflow.

Here's a simplified breakdown of the exploit mechanism:

1. pkexec's main() function: The main() function in C programs receives argc (argument count) and argv (argument vector) as parameters. pkexec's main() function also initializes its environment by copying argv and envp into a buffer.
2. Incorrect Argument Handling: The vulnerability occurs because pkexec incorrectly handles the number of arguments. It expects argc to be at least 1 (the program name itself). If argc is 0, pkexec still tries to access argv[1], which leads to an out-of-bounds read.
3. Environment Variable Manipulation: Attackers can manipulate the environment variables to control what data is read and written during this out-of-bounds access. By carefully crafting the PATH environment variable, an attacker can trick pkexec into loading malicious shared libraries (.so files).
4. Buffer Overflow and Code Execution: When pkexec attempts to process these malformed arguments and environment variables, it triggers a buffer overflow. This overflow allows the attacker to overwrite parts of the program's memory, including pointers to functions. By overwriting these pointers to point to their own malicious code (typically within a specially crafted shared library), the attacker can achieve arbitrary code execution as the root user.

Essentially, the attacker can create a scenario where pkexec believes it's trying to execute a legitimate command, but because of the memory corruption, it ends up executing the attacker's code with root privileges.

The