That and much more is what allows a vulnerability that leads present 12 years in Linux. This bug is present in a system tool called polkit (previously called PolicyKit), what gives attackers root permissions on computers running any Linux distro.
Vulnerability of 12 years ago to be root in Linux
Polkit is responsible for managing system privileges in Unix-based operating systems. Provides a mechanism for non-privileged processes to safely interact with privileged processes. Furthermore, it also allows users to execute commands with a high level of privileges using a component called pkexec.
The permission hierarchy in Unix allows the system to determine which applications or users can interact with sensitive parts of the system, and when they can do so. Thus, if a malicious app is installed, or one is hacked, the level of damage it can cause can be limited.
The problem is that the element that is in charge of controlling that has had a memory corruption vulnerability since 2009 that allows someone with limited permissions to escalate privileges until reaching root permissions. Exploiting the vulnerability is very easy and 100% reliable, where anyone who has even minimal access to a machine can execute malicious code or insert more harmful malware with full control of the system.
vulnerability requires local access with authentication to a device, and cannot be exploited remotely without that authentication. However, if you combine this LPE with a CERany attacker can take the control a computer remotely.
The vulnerability has been called PwnKit, and can be exploited even if Polkit is not running. Qualys researchers discovered it in November, and since it is already patched in almost all Linux distros, they have decided to publish the information. However, they are not yet going to release the proof of concept that allows it to be used, since there will be many operating systems that do not have it patched. Furthermore, they claim that hackers are going to start exploiting it pretty quickly.
Update now or run this command
It is recommended to update as soon as possible to avoid being affected by the attack. In the case of not being able to patch immediately, you can use the command chmod 0755 /usr/bin/pkexec to remove the part SUID of pkexec.
The researchers claim that the vulnerability can be exploited without leaving a trace on a computer. In case there is any trace, you can check the log by searching for the command «The value for the SHELL variable was not found the /etc/shells file» or «The value for environment variable […] contains suspicious content«.
In addition to Linux distros, there are also other Unix-based systems that could be affected, such as Solaris and *BSD. Nevertheless, OpenBSD is not vulnerable because your kernel rejects execve() in a program if the argc is zero. In the case of Androidusually pkexec not includedso this escalation of privileges would not be valid to get root on mobiles that have the bootloader blocked or do not currently have another way to be rooted.