Jump to content


Recommended Posts


We discovered a Local Privilege Escalation (from any user to root) in
polkit's pkexec, a SUID-root program that is installed by default on
every major Linux distribution:

"Polkit (formerly PolicyKit) is a component for controlling system-wide
privileges in Unix-like operating systems. It provides an organized way
for non-privileged processes to communicate with privileged ones. [...]
It is also possible to use polkit to execute commands with elevated
privileges using the command pkexec followed by the command intended to
be executed (with root permission)." (Wikipedia)


This vulnerability is an attacker's dream come true:

- pkexec is installed by default on all major Linux distributions (we
  exploited Ubuntu, Debian, Fedora, CentOS, and other distributions are
  probably also exploitable);

- pkexec is vulnerable since its creation, in May 2009 (commit c8c3d83,
  "Add a pkexec(1) command");

- any unprivileged local user can exploit this vulnerability to obtain
  full root privileges;

- although this vulnerability is technically a memory corruption, it is
  exploitable instantly, reliably, in an architecture-independent way;

- and it is exploitable even if the polkit daemon itself is not running.


Reference link : https://seclists.org/oss-sec/2022/q1/80

  • Upvote 4
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Create New...