A serious memory corruption vulnerability in polkit (formerly PolicyKit) has finally been discovered after 12+ years. This program is found in essentially all modern Linux distributions.
The most likely attack scenario is from an internal threat where a malicious user can escalate from no privileges whatsoever to full root privileges. From an external threat perspective, if an attacker has been able to gain foothold on a system via another vulnerability or a password breach, that attacker can then escalate to full root privileges through this vulnerability.
There are some useful links on the reddit thread:
https://teddit.net/r/linux/comments/sct9ld/linux_system_service_bug_gives_root_on_all_major/So ‘pkexec’ is basically ‘sudo’ but instead of depending on PAM it uses polikit for authentication and authorization. How many ‘sudo’ programs do we need in one Linux system? :D
“… We discovered a Local Privilege Escalation (from any user to root) in polkit’s pkexec, a SUID-root program that is installed by default on every major Linux distribution …”
Usable to crack Android phones ?
Only local, no risks from outside ?- Most popular rolling release based Linux distros patched it already.
- Does not work on Android. Or there is no PoC nor exploit.
- You need to gain access with another vulnerability in the system first to execute this, however, once you gain that access it is 100 percent working.
The attack is highly efficient but entirely relies on the fact you need to get a foothold first on the host system.
I updated the OP with more infos.
