Checking for Vulnerable Systems for CVE-2021-4034 with PwnKit-Hunter

February 1, 2022 Asaf Hecht and Alon Zahavi

What is PwnKit Vulnerability CVE-2021-4034?

On January 25th, 2022, a critical vulnerability in polkit’s pkexec was publicly disclosed (link). The Qualys research team named this vulnerability “PwnKit”. The polkit package is meant for handling policies that allow unprivileged processes to communicate with privileged processes on Linux systems. Pkexec is part of polkit and handles the execution of commands by different user contexts following the polkit-defined policies. Vulnerable machines are installations of Ubuntu, Debian, Fedora, CentOS and more.

Why is it a dangerous vulnerability?

By exploiting this vulnerability, attackers on a vulnerable host could easily gain full root privileges from any unprivileged user.

The vulnerability has been widely discussed, and we believe malicious actors could start using it on vulnerable machines.

A POC of exploitation was also published publicly on GitHub:

https://github.com/arthepsy/CVE-2021-4034

Therefore, organizations and their security teams are advised to check their entire Linux-based machines and make sure they aren’t vulnerable.

What is “PwnKit-Hunter” and how it can help me?

PwnKit-Hunter is a set of tools that will help determine if your system’s polkit package is vulnerable to CVE-2021-4043, a.k.a. PwnKit.

The link for the “PwnKit-Hunter” detection scripts can be found here:

https://github.com/cyberark/PwnKit-Hunter

The tools are:

CVE-2021-4034_Finder.py:

This script uses your apt cache to find the current installed version of polkit and compare it to the patched version according to your distribution.

PwnKit-Patch-Finder.c:

The patch of Debian and Ubuntu to CVE-2021-4043 contained new exit() line that occurs only if the policykit-1 package is patched. This code will try to trigger this exit(), and will search for the appropriate code. In case pkexec exited with different code, the package needs to be updated.

DISCLAIMER: This script is only working on Debian and Ubuntu variants, as other distros patched the code in a different way.

How to run “PwnKit-Hunter”

CVE-2021-4034_Finder.py:

git clone https://github.com/cyberark/PwnKit-Hunter.git
cd PwnKit-Hunter
./CVE-2021-4034_Finder.py

PwnKit-Patch-Finder.c:

git clone https://github.com/cyberark/PwnKit-Hunter.git
cd PwnKit-Hunter
gcc PwnKit-Patch-Finder.c -o PwnKit-Patch-Finder
./PwnKit-Patch-Finder

What is the mitigation?

The recommended fix is to update your systems according to the security advisories of your Linux distribution type.

RadHat: https://access.redhat.com/security/vulnerabilities/RHSB-2022-001

Ubuntu: https://ubuntu.com/security/notices/USN-5252-1

Debian: https://security-tracker.debian.org/tracker/CVE-2021-4034

NIST Advisory: https://nvd.nist.gov/vuln/detail/CVE-2021-4034

In order to mitigate it without updating, remove the setuid permission from pkexec:

chmod 0755 $(which pkexec)

To help ensure that the fix was fully deployed, CyberArk Labs developed simple scripts to detect and check if a scanned host is vulnerable or not.

The “PwnKit-Hunter” script is in the following GitHub repository:

https://github.com/cyberark/PwnKit-Hunter

Previous Article
How Docker Made Me More Capable and the Host Less Secure
How Docker Made Me More Capable and the Host Less Secure

TL;DR After Docker released a fix [1] for CVE-2021-21284 [2], it unintentionally created a new vulnerabilit...

Next Article
Analyzing Malware with Hooks, Stomps and Return-addresses
Analyzing Malware with Hooks, Stomps and Return-addresses

Table of Contents Introduction The First Detection The Module Stomp Bypass The Module Stomp Detection Final...