This article describes one way to detect the PwnKit ( CVE-2021–4034), a privilege escalation vulnerability on polkit’s pkexec
utility.
As with the previous post, we are using Falco for detection and Sysdig for analysis.
Resources
Premise
Based on the Qualys report, this exploit depends on GLib to load the privesc code:
To convert messages from one charset to another,
iconv_open()
executes small shared libraries; normally, these triplets ("from" charset, "to" charset, and library name) are read from a default configuration file,/usr/lib/gconv/gconv-modules
. Alternatively, the environment variableGCONV_PATH
can forceiconv_open()
to read another configuration file; naturally,GCONV_PATH
is one of the "unsecure" environment variables (because it leads to the execution of arbitrary libraries), and is therefore removed byld.so
from the environment of SUID programs.Unfortunately, CVE-2021–4034 allows us to re-introduce
GCONV_PATH
into pkexec's environment, and to execute our own shared library, as root.
berdav PoC
ly4k PoC
Sysdig command
sudo sysdig "evt.category=process and evt.dir=<" -p"syscall=\"%syscall.type\" command=\"%proc.cmdline\" parent=\"%proc.pname\" env=\"%proc.env\""
Explanation:
The key here is being able to see the process environment variable (%proc.env
).
For a complete list of fields, see this doc from falco.org.
Sysdig output
berdav
ly4k
Variations in the PATH
envvar
The PATH
environment variable can be prepended with arbitrary paths and the exploit will still work as long as GCONV_PATH
is present. Example:
Sysdig output:
We should then look for GCONV_ENV=
(and PATH=
separately) and NOT PATH=GCONV_ENV=
.
Falco rule
- rule: Potential Privilege Escalation in pkexec
desc: Potential exploitation of PolKit pkexec vulnerability (CVE-2021-44228)(PwnKit)
condition: >
spawned_process and proc.name=pkexec and proc.env contains "GCONV_PATH=" and proc.env contains "PATH="
output: Potential Privilege Escalation in pkexec (user=%user.name user_loginname=%user.loginname user_loginuid=%user.loginuid event=%evt.type process=%proc.name command=%proc.cmdline pname=%proc.pname pcmdline=%proc.pcmdline env=%proc.env container_id=%container.id image=%container.image.repository)
priority: CRITICAL
tags: [mitre_privilege_escalation]
Acknowledgements
Thanks to Francisco Oca for reviewing this writeup and helping me out with the PoC.
Originally published at https://pirx.io on June 7, 2022.