PwnKit Privilege Escalation Detection
This article describes one way to detect the PwnKit ( CVE-2021–4034), a privilege escalation vulnerability on polkit’s
As with the previous post, we are using Falco for detection and Sysdig for analysis.
Based on the Qualys report, this exploit depends on GLib to load the privesc code:
To convert messages from one charset to another,
iconv_open()executes small shared libraries; normally, these triplets ("from" charset, "to" charset, and library name) are read from a default configuration file,
/usr/lib/gconv/gconv-modules. Alternatively, the environment variable
iconv_open()to read another configuration file; naturally,
GCONV_PATHis one of the "unsecure" environment variables (because it leads to the execution of arbitrary libraries), and is therefore removed by
ld.sofrom the environment of SUID programs.
Unfortunately, CVE-2021–4034 allows us to re-introduce
GCONV_PATHinto pkexec's environment, and to execute our own shared library, as root.
sudo sysdig "evt.category=process and evt.dir=<" -p"syscall=\"%syscall.type\" command=\"%proc.cmdline\" parent=\"%proc.pname\" env=\"%proc.env\""
The key here is being able to see the process environment variable (
For a complete list of fields, see this doc from falco.org.
Variations in the
PATH environment variable can be prepended with arbitrary paths and the exploit will still work as long as
GCONV_PATH is present. Example:
We should then look for
PATH= separately) and NOT
- rule: Potential Privilege Escalation in pkexec
desc: Potential exploitation of PolKit pkexec vulnerability (CVE-2021-44228)(PwnKit)
spawned_process and proc.name=pkexec and proc.env contains "GCONV_PATH=" and proc.env contains "PATH="
output: Potential Privilege Escalation in pkexec (user=%user.name user_loginname=%user.loginname user_loginuid=%user.loginuid event=%evt.type process=%proc.name command=%proc.cmdline pname=%proc.pname pcmdline=%proc.pcmdline env=%proc.env container_id=%container.id image=%container.image.repository)
Thanks to Francisco Oca for reviewing this writeup and helping me out with the PoC.
Originally published at https://pirx.io on June 7, 2022.