Published as CVE-2021-4034, PWNKIT is a Linux privilege escalation flaw that affects all distributions and can give an attacker root control over a system. It's also a push-button, trivial exploit.
Let's take a deep-dive into exactly what that means (and the impact it could have on your organization's cybersecurity infrastructure):
How Privilege Escalation Factors Into Cyberattacks
Privilege escalation (otherwise known as "priv-esk") is the process of gaining higher access permissions on a computer system. This translates into more power through more access to files, commands, and the ability to change how the system operates.
Priv-esk is fundamentally a normal part of IT administration. IT admins don't always use a highly privileged account and so they may frequently need to escalate their privileges as they conduct more sensitive day-to-day operations.
However, privilege escalation is also a standard component of cyberattacks. Not all breaches immediately give the attacker access to admin-level accounts; many initial access breaches only give the attacker access to a regular user account. While a hacker could still cause some damage from a regular user account, cybercriminals want to inflict the most harm possible and therefore need more power on the system. In most cases, deploying ransomware by encrypting sensitive files such as entire databases requires admin-level privileges. This makes privilege escalation a vital goal for attackers as it enables them to carry out more sophisticated, stealthy, and destructive attacks.
Privilege escalation can be accomplished in several ways, such as by obtaining access to an account that has "admin" or "root" level privileges by stealing credentials or social engineering, but priv-esk can also be achieved by exploiting a bug or configuration error in an operating system or application.
Network defenders need to understand privilege escalation to protect against it. After all, if an attacker with a foothold on your system can be stopped from causing significant damage that's a considerable risk reduction and overall win for the organization.
An Explanation of Linux Privilege Escalation Attacks
Linux is one of the world's two heavy-weight operating systems, widely used in servers, supercomputers, mobile devices, and embedded IoT systems, due to its flexibility, reliability, security, and open-source nature.
Linux powers over one-third of web servers and 90% of cloud VMs and is the operating system of choice for the world's fastest supercomputers. In addition, Linux is the most popular operating system in the IoT embedded systems market, with a market share of over 70%.
Let's briefly review some well-known privilege escalation attacks and then look at a new Linux privilege escalation attack known as PWNKIT, and how to defend against it:
PWNKIT: a Novel Linux Privilege Escalation Bug
Published as CVE-2021-4034 PWNKIT is a Linux privilege escalation flaw that affects all distributions and can give an attacker system-wide privileges on a system. It's also a push-button, trivial exploit. Exploiting PWNKIT is as easy as compiling about 20 lines of C code and running the compiled executable.
Let's examine how easy PWNKIT is to exploit by reviewing a proof-of-concept (POC).
The bug that PwnKit exploits is a memory corruption flaw in the Linux polkit (PolicyKit) that has existed since May 2009. The PWNKIT vulnerability was patched in January 2022, but only IT environments that have had the update applied are protected.
The program first creates a global multi-line string variable named "shell". It then runs the main function which creates a directory "pwnkit" and a file named "gconv-modules" inside it. This file contains the metadata for a shared library. The program then writes the "shell" variable to a file named "pwnkit.c" inside the "pwnkit" directory, and compiles it using GCC as a shared library named "pwnkit.so". The program then sets up an array of environment variables and then executes the "pkexec" command with those specified environment variables.
There are two types of Linux user and group IDs: real and effective. The real UID and GID are the IDs that are assigned to the process when it is created. By default, the effective UID and GID are also set to the real UID and GID. PWNKIT first sets the real user and group ID, effective user, and group ID to 0 (root) using the "setuid()" and "setgid()" system calls. It then changes the effective user and group ID to 0 using the "seteuid()" and "setegid()" system calls. This system calls to change the permissions of the current process to that of the root user, effectively giving the process root privileges.
The execution of the shared library effectively exploits a memory corruption vulnerability in the Linux polkit library and gives the user who runs it a root shell. Memory corruption flaws occur when an application writes data beyond the bounds of allocated memory, causing it to overwrite other memory locations. In this case, it allows an attacker to modify the behaviour of the application allowing the effective user ID to the root user. The function finally launches a root shell using the "/bin/sh" command and removes traces of the malware by deleting the "pwnkit" directory with the "rm -rf" command.
How to Mitigate PWNKIT
Regardless of the technical analysis of how PWNKIT or memory corruption flaws work, it's critical to note that PWNKIT represents a low-hanging fruit that even a novice computer user could exploit. The impact is severe giving the attacker immediate admin privileges.
Effective defense against PWNKIT requires a multi-layered defense strategy that includes both proactive and reactive measures to not only prevent PWNKIT but to ensure that an organization's IT environment is continuously plugging newly discovered security gaps and able to detect and respond to any potentially malicious activity on endpoints - no matter which vulnerability has been leveraged.
By regularly patching and updating the OS and its components, implementing access controls, conducting vulnerability assessments and penetration testing, and implementing security best practices, network defenders can take proactive measures to protect against memory corruption flaws in key OS components.
These measures can help to reduce the risk of attacks targeting memory corruption flaws by addressing vulnerabilities and weaknesses in the IT environment before they can be exploited.
In addition to proactive measures, network defenders can take reactive measures to detect and respond to attacks targeting memory corruption flaws. By deploying Endpoint Detection and Response (EDR) and Intrusion Detection and Prevention Systems (IDS/IPS) that can analyze network traffic and identify malicious patterns and signatures, and by monitoring network activity and logs for suspicious activity, network defenders can quickly detect and respond to attacks targeting memory corruption flaws, minimizing the impact of successful attacks.
These reactive measures are critical to quickly identifying and mitigating attacks before they can cause significant damage to the IT environment.
PWNKIT is a Linux privilege escalation flaw that impacts all major Linux distributions, is trivial to exploit, and can give an attacker system-wide privileges.
Mitigating PWNKIT and all zero-day vulnerabilities requires network defenders to implement a multi-layered defence strategy that includes both proactive measures as well as reactive measures to effectively be able to reduce the chance of being victimized, and being able to identify and respond quickly in the case that your network is breached.
Concerned about PWNKIT? We recommend starting off with a Compromise Assessment to uncover past (or present) threats that may go unnoticed in standard automated vulnerability scans.