stats count
Friday, May 20, 2022
Home Technology A bug that hides for 12 years gives attackers root on most...

A bug that hides for 12 years gives attackers root on most major Linux distributions


Linux users received a big dose of bad news on Tuesday – a 12-year vulnerability in a system tool called Polkit gives attackers unlimited root privileges on machines that use the most large distributions of the open source operating system.

Formerly known as PolicyKit, Polkit manages system-wide privileges in Unix-like operating systems. It provides a mechanism for non-privileged processes to communicate securely with privileged processes. It also allows users to perform high privileged commands using a component called pkexec, followed by the command.

Trivial to exploit and 100 percent reliable

Like most operating systems, Linux offers a hierarchy of permission levels that control when and which applications or users can communicate with sensitive system resources. The design is intended to limit the damage that can occur if a user is not trusted to have administrative control of a network or if the application is hacked or malicious.

Since 2009, pkexec has included a memory corruption vulnerability that could exploit people with limited control of a vulnerable machine to escalate privileges to the root. Exploiting the error is trivial and according to some accounts, 100 percent reliable. Attackers who already have a grip on a vulnerable machine can abuse the vulnerability to ensure that a malicious payload or command is executed with the highest system rights available. PwnKit, as researchers call the vulnerability, is also vulnerable even if the Polkit demon itself is not running.

PwnKit was discovered in November by researchers at security firm Qualys and was Announced Tuesday after it has been fixed in most Linux distributions. PwnKit is tracked as CVE-2021-4034.

In an email, Bharat Jogi, Director of Qualys’ Vulnerability Threat Research, wrote:

The most likely attack scenario is of an internal threat where a malicious user could escalate from no privileges whatsoever to full root privileges. From an external threat perspective, if an attacker was able to gain a foothold on a system through another vulnerability or a password breach, that attacker could then escalate to full root privileges through this vulnerability.

Yogi said exploits require locally verified access to the vulnerable machine and cannot be managed remotely without such authentication. Here is a video of exploitation in action.

PwnKit Vulnerability.

For now, Qualys does not release proof-of-concept exploitation code out of concern, as the code will be more of a blessing to black hats than to defenders. PoC Code is released by another source, and researchers said it’s only a matter of time before PwnKit is exploited in the wild.

“We expect the exploitation to be publicized soon and attackers to start exploiting it – this is especially dangerous for any multi-user system that allows doping access to users,” said Bojan Zdrnja, a penetration tester and handler at SANS. wrote. The researcher said he successfully recreated an exploit that worked on a machine using Ubuntu 20.04.

The Qualys researchers are not the only ones who stumble upon this vulnerability, or at least a very similar bug. In 2013, researcher Ryan Mallon publicly reported about the same error and even wrote a patch, although he eventually could find no way to exploit the vulnerability. And last June, Github security researcher Kevin Backhouse also reported a privilege escalation vulnerability. It received the tracking name of CVE-2021-3560 and a patch from major Linux distributors.

WITHOUT

Major Linux distributors have released patches for the vulnerability, and security personnel strongly urge administrators to prioritize the installation of the patch. Those who can not immediately plaster, the chmod 0755 /usr/bin/pkexec instructed to remove the SOUTH bit of pkexec, which prevents it from running when rooted by a non-privileged user. Advice from Debian, Ubuntu and Red Hat is here, here, en here.

Those who want to know if the vulnerability has been exploited on their systems can look for login entries that say: “The value for the SHELL variable was not found in the / etc / shells file” or “The value for environment variable” […] contains suspicious content. ” However, Qualys warned people that PwnKit is also exploitable without leaving any traces.





Source link

RELATED ARTICLES

Jurgen Klopp confirms exit of Liverpool legend

Liverpool manager Jurgen Klopp has confirmed during his Friday press conference that Divick Origi will leave the club this summer. The Belgian's contract...

Miami Heat guard Gabe Vincent is far more than just a backup

MIAMI, FLORIDA - MAY 17: Gabe Vincent # 2 of the Miami Heat dribbles up the court against the Boston Celtics in...

Djokovic, Nadal, Alcaraz on One Side of Unbalanced Draw: Roland Garros Preview and Draw Analysis

The Roland Garros 2022 men's draw has toppled the scales of balance as the heavyweight...

LEAVE A REPLY

Please enter your comment!
Please enter your name here

- Advertisment -

Most Popular

Jurgen Klopp confirms exit of Liverpool legend

Liverpool manager Jurgen Klopp has confirmed during his Friday press conference that Divick Origi will leave the club this summer. The Belgian's contract...

Miami Heat guard Gabe Vincent is far more than just a backup

MIAMI, FLORIDA - MAY 17: Gabe Vincent # 2 of the Miami Heat dribbles up the court against the Boston Celtics in...

Djokovic, Nadal, Alcaraz on One Side of Unbalanced Draw: Roland Garros Preview and Draw Analysis

The Roland Garros 2022 men's draw has toppled the scales of balance as the heavyweight...

Golf Business News – LIV Golf commercial officer resigns

Sean Bratches, LIV Golf's Chief Commercial Officer, has resigned from the organization just three weeks before the first LIV Golf invitational Series tournament...

Recent Comments