Replacing pkexec with sudo
Intro
I just learned about CVE-2021-40341, which is a cool local privilege escalation
on many major linux distros through pkexec.
Funnily enough, the command name seemed familiar… but the exploit didn’t work for me:
$ which pkexec
/usr/local/bin/pkexec
$ sed -i 's,/usr/bin/pkexec,/usr/local/bin/pkexec,' blasty-vs-pkexec.c
$ gcc -o blasty-vs-pkexec blasty-vs-pkexec.c
$ ./blasty-vs-pkexec
[~] compile helper..
[~] maybe get shell now?
[...]
$ id -u
1000
And then I remembered why. When I was trying to install VMware® Workstation 16 Pro,
I couldn’t get it work on my machine due to missing pkexec2 and/or some other
dependencies.
Mitigation
So in order to install something like pkexec, I apparently did the easy
thing3: used equivs to build a dummy package to replace policykit-1:
apt install equivs
cat > policykit-1.ctl <<'EOF'
Package: policykit-1
Section: admin
Description: kill policykit-1 with fire
EOF
equivs-build policykit-1.ctl
dpkg -i ./policykit-1_1.0_all.deb
and then hacked up a shell wrapper around sudo to provide basic pkexec functionality:
#!/bin/bash
export SUDO_ASKPASS=/usr/bin/ssh-askpass
if [ ".$1" = ".--user" ]; then
UN="$2"
shift 2
else
UN="root"
fi
exec /usr/bin/sudo --user="$UN" -A "$@"
I mean, this is hardly an “on par” replacement, sudo isn’t a stellar example
of bugfree package… and that’s not incense. But in the great scheme of things,
it’s good enough4. And CVE-2021-4034 free, it seems. Shiny.
-
As detailed in Major Bug Grants Root For All Major Linux Distributions article. ↩
-
Because I’ve come to dislike
systemd. And as such, I stay true tosysvinit. So all the packages depending on systemd need special treatment on my system(s). ↩ -
Not that I remember the exact details, but this much I can reverse. ↩
-
count(suid binaries)--;↩