This article describes one way to detect the PwnKit (CVE-2021-4034), a privilege escalation vulnerability on polkit’s pkexec utility.

As with the previous post, we are using Falco for detection and Sysdig for analysis.

Resources

Analysis

Premise

Based on the Qualys report, this exploit depends on GLib to load the privesc code:

To convert messages from one charset to another, iconv_open() executes small shared libraries; normally, these triplets (“from” charset, “to” charset, and library name) are read from a default configuration file, /usr/lib/gconv/gconv-modules. Alternatively, the environment variable GCONV_PATH can force iconv_open() to read another configuration file; naturally, GCONV_PATH is one of the “unsecure” environment variables (because it leads to the execution of arbitrary libraries), and is therefore removed by ld.so from the environment of SUID programs.

Unfortunately, CVE-2021-4034 allows us to re-introduce GCONV_PATH into pkexec’s environment, and to execute our own shared library, as root.

PoC code

berdav PoC

ly4k PoC

Sysdig command

sudo sysdig "evt.category=process and evt.dir=<" -p"syscall=\"%syscall.type\" command=\"%proc.cmdline\" parent=\"%proc.pname\" env=\"%proc.env\""

Explanation:

Statement Description
evt.category=process (Filter) Process events
evt.dir=< (Filter) Exit events
%syscall.type (Output) Type of syscall
%proc.cmdline (Output) Full command
%proc.pname (Output) Parent process name
%proc.env (Output) Process environment variables

The key here is being able to see the process environment variable (%proc.env).

For a complete list of fields, see this doc from falco.org.

Sysdig output

berdav

ly4k

Variations in the PATH envvar

The PATH environment variable can be prepended with arbitrary paths and the exploit will still work as long as GCONV_PATH is present. Example:

Sysdig output:

We should then look for GCONV_ENV= (and PATH= separately) and NOT PATH=GCONV_ENV=.

Falco rule

- rule: Potential Privilege Escalation in pkexec
  desc: Potential exploitation of PolKit pkexec vulnerability (CVE-2021-44228)(PwnKit)
  condition: >
    spawned_process and proc.name=pkexec and proc.env contains "GCONV_PATH=" and proc.env contains "PATH="    
  output: Potential Privilege Escalation in pkexec (user=%user.name user_loginname=%user.loginname user_loginuid=%user.loginuid event=%evt.type process=%proc.name command=%proc.cmdline pname=%proc.pname pcmdline=%proc.pcmdline env=%proc.env container_id=%container.id image=%container.image.repository)
  priority: CRITICAL
  tags: [mitre_privilege_escalation]

Acknowledgements

Thanks to Francisco Oca for reviewing this writeup and helping me out with the PoC.