PwnKit: detect privilege escalation with CrowdSec
PwnKit: CVE-2021-4034 avoid privilege escalation. CrowdSec developed a scenario to give you insight on whether you have been compromised by this vulnerability.
Qualys just published CVE-2021-4034 which is trivial to exploit and impacts a large variety of distributions and versions. In a nutshell, the vulnerability, also called PwnKit, allows for a local escalation of privilege (LPE), due to out-of-band writing, in Polkit’s Pkexec, an alternate solution to the "sudo" privilege management tool. Pkexec is installed by default on most popular Linux distributions. A successful exploit can lead to handing admin/root privileges to unauthorized users.
While everybody loves a fine LPE, it’s mostly an excuse for us to take a look at another aspect of CrowdSec: pure alerting capabilities along with remediation.
We just published a new collection, targeting Linux’s Local Privilege Escalation, and CVE-2021-4034 is its first scenario! While this will not allow you to prevent the exploit, it will give you insight on whether you have been compromised by this vulnerability. Stay tuned as we add additional exploit attempt scenarios to the collection.
A successful exploitation for PwnKit is quite trivial to detect in the system logs:
(Please note that it has already been reported that smarter attackers may exploit the vulnerability without leaving any trace in the logs, but it’s not really the topic here)
The collection itself can be found here.
Let’s try our exploit freshly grabbed from GitHub:
Meanwhile, in CrowdSec logs (/var/log/crowdsec.log), we can see that the scenario was detected:
We can detect the exploit, and now what? The CrowdSec solution cannot block the malevolent user or prevent exploitation, but it can alert you. Fortunately, CrowdSec supports notification plugins. In this case, let’s set up a Slack alerting to be able to react in real-time.
First of all, let’s adapt our profiles to generate notifications on alerts that are targeting a system user and not an IP, by adding a new profile to the configuration file (/etc/crowdsec/config/profiles.yaml):
As the default Slack notification template expects an alert regarding an IP, we can generate a new one “slack_lpe”. To achieve this, let’s simply create a new Slack template in /etc/crowdsec/notifications/slack-lpe.yaml:
(Note: for this to work, you will have to generate your own Slack webhook url)
What should happen is:
- If an attacker exploits the Pwnkit vulnerability, he will trigger the crowdsecurity/CVE-2021-4034 scenario
- This scenario will generate an alerting about the system_user that just performed the exploit
- The alert will be caught by our notif_only profile that will dispatch the alert to the Slack notification plugin
Let’s try exploiting the vulnerability again:
The alert is indeed triggered:
And the alert notification pops up on Slack to allow a swift reaction:
Stay safe, happy hunting!
Join our community on Discord to get support and learn more about CrowdSec scenarios.