Gtk desktop app delayed on first launch (20.04) #2004 #permissions #gtk #policykit #pkexec

https://askubuntu.com/q/1459470/612

Rooted another OSCP machine this morning. There is no other exploit that has been more widespread and easy to leverage than pwnkit (CVE-2021-4034). I've simply lost count of the the number of machines I've been able to use this on to get root access from a low-privilege account. For people who do this kind of stuff, this post is a cold take, but I just wanted to come here and state the obvious. #OSCP #pwnkit #polkit #CVE-2021-4034 #Linux #pkexec #setuid

From the Ubuntu website: "A local privilege escalation vulnerability was found on polkit’s pkexec utility. The pkexec application is a setuid tool designed to allow unprivileged users to run commands as privileged users according predefined policies. The current version of pkexec doesn’t handle the calling parameters count correctly and ends trying to execute environment variables as commands. An attacker can leverage this by crafting environment variables in such a way it’ll induce pkexec to execute arbitrary code. When successfully executed the attack can cause a local privilege escalation given unprivileged users administrative rights on the target machine."

Should blame be placed solely on the C programming language for CVE-2021-4034?

#infosec #pkexec #pwnkit

A #pkexec PoC from peter@haxx.in
https://haxx.in/files/blasty-vs-pkexec.c

“PwnKit” security bug gets you root on most Linux distros – what to do - An elevation of privilege bug that could let a "mostly harmless" user give themselves a i... https://nakedsecurity.sophos.com/2022/01/26/pwnkit-security-bug-gets-you-root-on-most-linux-distros-what-to-do/ #vulnerability #cve-2021-4034 #pkexec #pwnkit #linux #eop

"we note that #OpenBSD is not exploitable, because its kernel refuses to execve() a program if argc is 0."

https://blog.qualys.com/vulnerabilities-threat-research/2022/01/25/pwnkit-local-privilege-escalation-vulnerability-discovered-in-polkits-pkexec-cve-2021-4034
#pwnkit #polkit #pkexec #itsec

Taking inspiration from the #OpenBSD camp, #HardenedBSD now rejects execve(argc==0) attempts: https://git.hardenedbsd.org/hardenedbsd/HardenedBSD/-/commit/b6495ff2ff4135f951619c28aa321b6c5ad550b9

This mitigates types of vulnerabilities like that of #pkexec (CVE-2021-4034).

#infosec

Diferencias entre #pkexec y #gksudo y porque se abandona gksudo

https://geekland.eu/diferencias-pkexec-gksudo/