PwnKit Privilege Escalation Detection

This article describes one way to detect the PwnKit (CVE-2021-4034), a privilege escalation vulnerability on polkit’s pkexec utility. As with the previous post, we are using Falco for detection and Sysdig for analysis. Resources Qualys report PoC by berdav PoC by ly4k Analysis Premise Based on the Qualys report, this exploit depends on GLib to load the privesc code: To convert messages from one charset to another, iconv_open() executes small shared libraries; normally, these triplets (“from” charset, “to” charset, and library name) are read from a default configuration file, /usr/lib/gconv/gconv-modules. Alternatively, the environment variable GCONV_PATH can force iconv_open() to read another configuration file; naturally, GCONV_PATH is one of the “unsecure” environment variables (because it leads to the execution of arbitrary libraries), and is therefore removed by ld.so from the environment of SUID programs. ...

June 7, 2022 · 2 min · pirx

Syscall-Based Log4Shell Detection on Linux

This is a write-up about detecting exploitation of the Log4Shell vulnerability (CVE-2021-44228) in Log4j by monitoring specific syscalls using Falco. This post also describes the analysis I employed to arrive at my conclusions. Note that this is not meant to be an end-all detection for Log4Shell but instead one of many that, as a whole, provide coverage across different points of visibility. UPDATE (2022-06-20): This post outlines an alternative way to detect Log4shell, this time using Falco’s brand new byte matching feature. ...

May 20, 2022 · 10 min · pirx