Recently Qualys released the news that has identified a vulnerability (CVE-2021-4034) en system component polkit (formerly PolicyKit), which is used in distributions to allow non-privileged users to perform actions that require elevated access rights.
Vulnerability allows an unprivileged local user to elevate their privileges to the root user and gain full control over the system. The issue is codenamed PwnKit and is notable for producing a working exploit that runs in default settings on most Linux distributions.
It is mentioned that the problem exists in the pkexec utility included with PolKit, which comes with the SUID root flag and is designed to run commands with the privileges of other users according to PolKit rules.
Due to wrong handling of arguments from the command line passed to pkexec, a non-privileged user could bypass authentication and have your code run as root, regardless of the established access rules. For an attack, no matter what settings and restrictions are set in PolKit, it is enough that the SUID root attribute is set for the executable file with the pkexec utility.
Pkexec does not check correctness of the count of command line arguments (argc) passed when starting a process. The pkexec developers assumed that the first entry in the argv array always contains the name of the process (pkexec), and the second entry is either NULL or the name of the command executed through pkexec.
Since the argument count was not compared to the actual contents of the array and was assumed to always be greater than 1, if an empty argv array was passed to the process, which Linux's execve function allows, pkexec treated NULL as the first argument ( process name), and the next after out of buffer memory, as the next array content.
The problem is that after the argv array in memory is the envp array that contains the environment variables. Thus, with an empty argv array, pkexec extracts the data about the command being executed with elevated privileges from the first element of the array with environment variables (argv[1] became identical to envp[0]), whose content can be controlled by the attacker.
Having received the value argv[1], pkexec tries to determine the full path to the executable file using the file paths in PATH and writes the pointer to the string with the full path back to argv[1], which leads to overwriting the value of the first environment variable as well, since argv[1] is identical to envp[0]. By manipulating the name of the first environment variable, an attacker can substitute another environment variable in pkexec, for example, substitute the "LD_PRELOAD" environment variable, which is not allowed in suid programs, and have the process load its shared library in the process.
The working exploit uses GCONV_PATH variable substitution, which is used to determine the path to the symbol transcoding library that is loaded dynamically when the g_printerr() function is called, which uses iconv_open() in its code.
By redefining the path in GCONV_PATH, the attacker can manage to load not the normal iconv library, but his own library, whose drivers will be executed during the error message at the stage where pkexec is still running as root and before verification of startup permissions.
It is observed that, although the problem is due to memory corruption, it can be reliably and repeatably exploited, regardless of the hardware architecture used.
The exploit prepared successfully tested on Ubuntu, Debian, Fedora and CentOS, but can also be used on other distributions. The original exploit is not yet publicly available, indicating that it is trivial and can be easily recreated by other researchers, so it is important to install the hotfix update as soon as possible on multi-user systems.
Polkit is also available for BSD and Solaris systems, but has not been explored for exploitation. What is known is that the attack cannot be performed on OpenBSD, since the OpenBSD kernel does not allow passing a null argc value when calling execve().
The problem has been around since May 2009 when the pkexec command was added. The fix for the vulnerability in PolKit is still available as a patch (the fix version has not been formed), but since the developers of the distribution were notified of the problem in advance, most distributions released an update at the same time. than disclosure of vulnerability information.
Finally if you are interested in knowing more about it, you can check the details in the following link.