Since 2009, pkexec has contained a memory-corruption vulnerability that people with limited control of a vulnerable machine can exploit to escalate privileges all the way to root.
Exploiting the flaw is trivial and, by some accounts, 100 percent reliable. Attackers who already have a toehold on a vulnerable machine can abuse the vulnerability to ensure a malicious payload or command runs with the highest system rights available. PwnKit, as researchers are calling the vulnerability, is also exploitable even if the Polkit daemon itself isn’t running. PwnKit was discovered by researchers from security firm Qualys in November and was disclosed on Tuesday after being patched in most Linux distributions. PwnKit is tracked as CVE-2021-4034. [...] Major Linux distributors have released patches for the vulnerability, and security professionals are strongly urging administrators to prioritize installing the patch. Those who can’t patch immediately should use the chmod 0755 /usr/bin/pkexec command to remove the SUID-bit from pkexec, which prevents it from running as root when executed by a non-privileged user. Advisories from Debian, Ubuntu, and Red Hat are here, here, and here. Those who want to know if the vulnerability has been exploited on their systems can check for log entries that say either “The value for the SHELL variable was not found the /etc/shells file” or “The value for environment variable […] contains suspicious content.” Qualys, however, cautioned people that PwnKit is also exploitable without leaving any traces. Continua su https://arstechnica.com/information-technology/2022/01/a-bug-lurking-for-12-years-gives-attackers-root-on-every-major-linux-distro/ Insomma non temete: dopo 12 anni dalla sua introduzione, questa vulnerabilità è stata corretta entro poche ore dalla propria diffusione pubblica. Giacomo _______________________________________________ nexa mailing list nexa@server-nexa.polito.it https://server-nexa.polito.it/cgi-bin/mailman/listinfo/nexa
