Serious Linux privilege escalation bug lay hidden for 12 years

Security researchers have found a local privilege escalation bug in Linux distributions that allows any unprivileged user to execute code with the root superuser rights, giving them access to the entire system.

Security vendor Qualys called the bug PwnKit, and said it was introduced into the polkit or PolicyKit system-wide privilege control tool in May 2009, which is 12 years ago.

Qualys said the vulnerability lies in polkit's pkexec command, which has code bugs that let attackers do out-of-bounds writes to introduce unsafe environment variables.

While the researchers won't publish proof-of-concept code for PwnKit, they said that "given how easy it is to exploit the vulnerability, we anticipate public exploits to become available within a few days".

iTnews has sighted proof-of-concept code for the vulnerability posted on the web.

The Ubuntu, Debian, Fedora and CentOS Linux distributions have been verified as vulnerabile by Qualys security researchers.

However, it is likely that other Linux distributions are vulnerable and exploitable as well.

Qualys reported the vulnerability to enterprise Linux vendor Red Hat on November 18 last year, and patches are now available.

As a temporary mitigation, it's also possible to remove the SUID bit from the pkexec program, with chmod 0755.

While polkit supports proper UNIX-like operating systems such as Solaris and different BSD distributions as well as Linux, Qualys said it has not explored if the vulnerability exists in these as well.

The security and code correctness-oriented OpenBSD operating system is not exploitable, as the execve() syscall in its kernel refuses to run programs, if the argc count is zero.

Polkit has seen other privilege escalation bugs in recent times that allows code execution as root.

In June last year, security researcher Kevin Backhouse posted about a seven-year-old bug in polkit that was again easily exploitable in conjunction with other system utilities.