Lab: PwnKit

Goal

Step 5: Mitigation and Correction

• How do I tell if someone has used this exploit?
  • IN this case the POC has a telltale signature
  • grab a window
  • su to bob
  • as bob sudo -i
  • cd /var/log
  • grep shell auth.log
  • Alice is using an unlisted shell pwnkit when she runs the exploit.
  • The system notices this and logs it.
  • The intruder could easily clean up the logs if they cared.
  • Or with a little more work could clean up the exploit.
• The immediate mitigation for this exploit is to disable pkexec
  • look at the permissions on pkexec
  • ls -l /usr/bin/pkexec
    • Notice
      • It is owned by root.
      • The user execute bit is a lower case s
    • This means that when it runs, it runs as root.
    • This is called the setuser-id bit.
  • The recommended short term fix is to disable this

    • chmod 0755 /usr/bin/pkexec
               

    • This will remove the setuser-id bit
    • But this effectively means that pkexec will not run.
  • This is probably not a big problem.
    • You will need to gain permissions from sudo
    • Which is a problem for someone who doesn't know how to use the terminal.
    • IE a user who completely relies on GUI management.
• The software has been patched
  • So the proper fix is to upgrade your system.
  • For this and all of the other security problems you seen.
• A note on the exploit:
  • This is just one of many possible attacks this hole provides.
  • In this case, they set the shell to be "pwnkit"
    • Which is not a valid shell.
    • And some things don't work well, like vi
  • Jason used a simple editing program called "sed" to alter the /etc/group file and add alice to the sudo group.
  • I just used "su - " to get the full environment.
  • Again, this is insufficient for a novice hacker, but someone with serviceable knowledge can gain access.