Dubbed PwnKit, it’s been sitting in a user policy module used in Linux distros for over a decade and can be used by anyone to gain root privileges. Here’s what you can do to protect your systems.
Heads up, Linux users: A newly discovered vulnerability in pretty much every major distro allows any unprivileged user to gain root access to their target, and it’s been hiding in plain sight for 12 years.
Discovered by security researchers at Qualys, the vulnerability they’ve dubbed “PwnKit” takes advantage of the pkexec command, which allows users to execute commands as other users, that exists as part of the PolKit privilege control module installed on (for all practical purposes) every single distro, both vendor-specific and open source.
SEE: Google Chrome: Security and UI tips you need to know (TechRepublic Premium)
Make no mistake: This is a serious vulnerability. The actual execution isn’t very complicated, and Linux users with a good understanding of environment variables, user permissions and launching applications with arguments could feasibly craft an exploit that takes advantage of the PwnKit vulnerability. The research team responsible for its discovery was able to develop an exploit and gain root access on default installations of Ubuntu, Debian, Fedora and CentOS.
“Other Linux distributions are likely vulnerable and probably exploitable. This vulnerability has been hiding in plain sight for 12+ years and affects all versions of pkexec since its first version in May 2009,” Qualys director of vulnerability and threat research Bharat Jogi said in a post describing the discovery.
How (simply) PwnKit can devastate Linux systems
The vulnerability comes down to using an out-of-bounds write to trick pkexec into looking for a maliciously crafted PATH environment variable. It’s probably best to let Qualys explain it: “If our PATH is “PATH=name=.”, and if the directory “name=.” exists and contains an executable file named “value”, then a pointer to the string “name=./value” is written out-of-bounds to envp.”
What that does is reintroduce an unsecure variable into pkexec’s environment, allowing the attacker to elevate their own privileges and run applications as root. Pkexec is used legitimately to run Linux applications as another user, which is an incredibly common thing to do, especially for Linux administrators and users who need to run a particular program without having an administrator account.
So, in essence anybody smart enough to craft a malicious PATH variable could use PwnKit to gain root privileges.
Patch now, even if it hurts
No one likes thinking about taking even a single production-essential machine offline, but in this case it’s a good idea to nip this potentially severe exploit in the bud and deal with taking important Linux machines offline for a bit.
Qualys says that patches have been released for all major Linux distros, and as pretty much all major distros are affected, it’s essential to patch now. In some instances of OEM-distributed Linux systems the vulnerability may still be present, or it may be more complicated to patch the affected machine, so contact your vendors to ensure you’re getting necessary patches.
SEE: Password breach: Why pop culture and passwords don’t mix (free PDF) (TechRepublic)
It’s also worth noting what ZDNet’s Steven Vaughan-Nichols said in a story about PwnKit: You can actually chmod yourself out of trouble if you can’t find or install patches immediately using the following root-powered shell command:
# chmod 0755 /usr/bin/pkexec
This command, for those unfamiliar with chmod numbering, makes it so that no one except for the owner (in this case, root) can write data to pkexec. This should only be considered a stop-gap until an actual patch can be installed.