PwnKit Privilege Escalation Detection

3 min readJun 7, 2022


This article describes one way to detect the PwnKit ( CVE-2021–4034), a privilege escalation vulnerability on polkit’s pkexec utility.

As with the previous post, we are using Falco for detection and Sysdig for analysis.



Based on the Qualys report, this exploit depends on GLib to load the privesc code:

To convert messages from one charset to another, iconv_open() executes small shared libraries; normally, these triplets ("from" charset, "to" charset, and library name) are read from a default configuration file, /usr/lib/gconv/gconv-modules. Alternatively, the environment variable GCONV_PATH can force iconv_open() to read another configuration file; naturally, GCONV_PATH is one of the "unsecure" environment variables (because it leads to the execution of arbitrary libraries), and is therefore removed by from the environment of SUID programs.

Unfortunately, CVE-2021–4034 allows us to re-introduce GCONV_PATH into pkexec's environment, and to execute our own shared library, as root.

berdav PoC

ly4k PoC

Sysdig command

sudo sysdig "evt.category=process and evt.dir=<" -p"syscall=\"%syscall.type\" command=\"%proc.cmdline\" parent=\"%proc.pname\" env=\"%proc.env\""


The key here is being able to see the process environment variable (%proc.env).

For a complete list of fields, see this doc from

Sysdig output



Variations in the PATH envvar

The PATH environment variable can be prepended with arbitrary paths and the exploit will still work as long as GCONV_PATH is present. Example:

Sysdig output:

We should then look for GCONV_ENV= (and PATH= separately) and NOT PATH=GCONV_ENV=.

Falco rule

- rule: Potential Privilege Escalation in pkexec
desc: Potential exploitation of PolKit pkexec vulnerability (CVE-2021-44228)(PwnKit)
condition: >
spawned_process and and proc.env contains "GCONV_PATH=" and proc.env contains "PATH="
output: Potential Privilege Escalation in pkexec ( user_loginname=%user.loginname user_loginuid=%user.loginuid event=%evt.type command=%proc.cmdline pname=%proc.pname pcmdline=%proc.pcmdline env=%proc.env image=%container.image.repository)
priority: CRITICAL
tags: [mitre_privilege_escalation]


Thanks to Francisco Oca for reviewing this writeup and helping me out with the PoC.

Originally published at on June 7, 2022.




Security engineer when not distracted by other things