Hello, welcome to the Wednesday, January 26, 2022 edition of the Sansonet Storm Center's

Stormcast. My name is Johannes Ulrich, and I'm recording from Jacksonville, Florida.

Qualdez discovered a new privilege escalation vulnerability in Unix or really Linux-based systems relying on Polkitt.

Polkid is pretty much installed and part of any modern Unix distribution.

It's not necessarily really just Linux, but of course these days,

mostly people are dealing with Linux.

Policy Kit and PKXC, the binary that sort of comes with it

and allows you to actually execute commands as other users is a little bit similar to the more

popular pseudo, but really a more modern and more fine-cranged version of it. So with P-KXec, which is an

SUID-Root binary, you're able to execute commands as different users and you have then

some restricted access as to what you're able to do with these commands.

With pseudo, on the other hand, once I give you pseudo permissions to execute a certain command

as a certain user, I may be able to restrict what the parameters is where you can pass to it,

but once you're running the command, there's very little

else I can do. And with so many commands, for example, being able to spawn shells and such,

it's very difficult to really get that fine-crain control in pseudo, which is why we do have

Polkkit or Policy Kit and PKXec for that more fine-grained control.

But, well, sadly, something went wrong.

And something went wrong 12 years ago.

That's when the vulnerability was introduced.

Personally, I haven't really looked for an exploit yet, but Boyan, he wrote it up for us.

He was able to create an exploit that worked reliably across different distributions within a relatively short time.

...