A disclosed vulnerability affecting the PolKit component has been spinning around on several Linux distributions for over 12 years. The vulnerability is easily exploited, says Bharat Jogi, Director of the Qualys Research Team that discovered it.
PolKit provides a mechanism that enables non-privileged processes to communicate with privileged ones and to allow users to use it to execute commands with root privileges with the command pkexec.
In relation to this, InfoQ explains in a blog post that at the root of the vulnerability is a memory corruption issue in the way pkexec handles its command line arguments. When it is run with no arguments, which means argc is 0, a part of its main function will enable an out-of-bounds write which under given conditions will overwrite its next contiguous memory. This happens to be envp, meaning one can easily inject a malicious environment variable into pkexec‘s environment.
Qualys did not disclose code that exploits the vulnerability. However, since the vulnerability is so easy to exploit, public exploits have become available online. Qualys demonstrates how PwnKit can be exploited by user nobody, which has no privileges at all, on a fully-patched Linux distro.
In fact, while it is true that PwnKit alone is not enough to take control of a remote system, we are all aware that attackers exploit several vulnerabilities simultaneously. This method is called a vulnerability chain, which means all affected systems should be patched as soon as possible.
Despite all these things, a temporary mitigation is available that is really trivial to apply and consists of removing the SUID-bit from pkexec running: chmod 0755 /usr/bin/pkexec
Jogi commented that in addition to Linux-based distributions, the vulnerability may also affect other UNIX-like operating systems where Polkit is available. The researchers at Qualys did not investigate their exploitability, though, except for OpenBSD, which is not vulnerable due to the kernel refusing to execve() a program if argc is 0.