Recently reported CVE-2021–4034 is a vulnerability in pkexec tool from polkit. pkexec is prebuilt into a typical Linux system and is one of the binaries that can elevate privileges to root (using setuid/setgid). Being a common utility, polkit is present on several Linux distributions. Docker containers images also ship with the polkit. Due to the wide distribution of polkit, the vulnerabilities outlined in this blog can have significant security impact in the industry.
Vulnerability
pkexec allows the user to execute commands as another user based on the policy defined by polkit using the setuid feature.
As shown below, pkexec tool’s command line processing logic does not validate for the scenario in which argc can be 0. The default initialized integer variable n allows an out of bound read from argv[1].
int main (int argc, char *argv[])
{
for(n=1; n<(guint)argc; n++)
{
…
}
…
path = g_strdup(argv[n]);
…
s = g_find_program_in_path (path);
…
argv[n] = path = s;
}
As it happens, what follows argv is the envp pointer. The out of bound read of argv, can actually be made to read envp[0]. Subsequently, g_find_program_in_path() searches for a program in the PATH environment variable. Eventually, the program path is set back into argv[1] also overwriting the envp[0].
Effectively, if the PATH is set to “PATH=name=.” and if “name=.” directory also exists, and the directory is made to contain a file named “program”, then the pointer to string “name=./program” is written to out of bound envp[0].
How Confluera is able to detect Pwnkit
Confluera’s technology captures all system call events, both good and bad. It then applies a security analysis on top of these events and identifies possible exploits. It also deterministically stitches both the strong and weak signals to give a full story of the attack.
Confluera’s storyboarding captures the exploit attempt and the privilege escalation itself.
1. Confluera detects the attempts to exploit CVE-2021–4034 via pkexec
2. Post exploit, the privilege escalation is indicated by a shell command execution as root.
3. Finally, the generic privilege escalation rule detects starting of shell from a setuid/setgid binary
4. Confluera’s detection trail presents the process lineage in the view along with command line demonstrating pkexec exploit.
5. All relevant detections on a single trail including the cleanup actions such as removal of GCONV_PATH= and pwnkit directories
Mitigation
Summary
The pkexec vulnerability stems from a command line parsing issue leading to the insecure environment variable in the process. The privilege escalation allows an unprivileged user to get full root privileges.
Confluera’s CxDR platform detects such zero-day attacks and stitches the actions together into execution trails. The storyboarding tracks the detections and evaluates the risk score in real time, delivering curated execution trails to SOC analysts for remediation actions.