Replacing pkexec with sudo


I just learned about CVE-2021-40341, which is a cool local privilege escalation on many major linux distros through pkexec.

Funnily enough, the command name seemed familiar… but the exploit didn’t work for me:

$ which pkexec
$ sed -i 's,/usr/bin/pkexec,/usr/local/bin/pkexec,' blasty-vs-pkexec.c
$ gcc -o blasty-vs-pkexec blasty-vs-pkexec.c 
$ ./blasty-vs-pkexec 
[~] compile helper..
[~] maybe get shell now?
$ id -u

And then I remembered why. When I was trying to install VMware® Workstation 16 Pro, I couldn’t get it work on my machine due to missing pkexec2 and/or some other dependencies.


So in order to install something like pkexec, I apparently did the easy thing3: used equivs to build a dummy package to replace policykit-1:

apt install equivs
cat > policykit-1.ctl <<'EOF'
Package: policykit-1
Section: admin
Description: kill policykit-1 with fire
equivs-build policykit-1.ctl
dpkg -i ./policykit-1_1.0_all.deb

and then hacked up a shell wrapper around sudo to provide basic pkexec functionality:

export SUDO_ASKPASS=/usr/bin/ssh-askpass
if [ ".$1" = ".--user" ]; then
  shift 2
exec /usr/bin/sudo --user="$UN" -A "$@"

I mean, this is hardly an “on par” replacement, sudo isn’t a stellar example of bugfree package… and that’s not incense. But in the great scheme of things, it’s good enough4. And CVE-2021-4034 free, it seems. Shiny.

  1. As detailed in Major Bug Grants Root For All Major Linux Distributions article.

  2. Because I’ve come to dislike systemd. And as such, I stay true to sysvinit. So all the packages depending on systemd need special treatment on my system(s).

  3. Not that I remember the exact details, but this much I can reverse.

  4. count(suid binaries)--;