A Security Researcher with Github disclosed a 7-year-old issue with the way polkit, an authentication mechanism in most Linux distributions, issues permissions allowing for privileged user creation. All Linux distributions using systemd are affected. Polkit’s maintainers at RedHat were notified and released a fix on June 3rd. The vulnerability was issued CVE-2021-3560. It is an interesting and fairly easy to exploit vulnerability involving the timing of polkit’s decision making. In the PoC released to exploit the vulnerability, two conditions must be met requiring the accountservice and gnome-control-center packages to be installed on the target system. A dbus-send command is issued to create a user account, but the process is killed before polkit has made its decision to allow the user to run the command, defaulting in the approval. After that, a password is created and issued in the same manner and a new user account with sudo privileges that the attacker can use is the result.
A vulnerability like the one above is tough to avoid in systems such as Linux. There is much legacy code to sift through when applying patches or surveying code for vulnerabilities. As always, keeping systems current and up to date to the latest advisories is a first step to defense. Security teams may already have detections in place to alert on users created by non-standard accounts, however this is an uncommon tactic. The Threat Hunt team and Security Operations Center at Binary Defense work to identify uncommon methods such as this, and hunt for the possibility of compromise, cutting off that approach for attackers. When utilizing threat hunting to identify risk and attack vectors, the threat to data integrity and possibility of ransomware infection is greatly reduced.