Privilege escalation with polkit: How to get root on Linux with a seven-year-old bug

Polkit, a system service used by many Linux distributions that employ systemd, was found to have a privilege escalation vulnerability, CVE-2021-3560, which allows an unprivileged local user to gain root access. The vulnerability, discovered by a member of the GitHub Security Lab, was introduced in polkit seven years ago but only recently affected several major distributions such as RHEL 8 and Ubuntu 20.04. The exploit is relatively simple and involves interrupting a specific sequence of authorization checks managed by polkit and dbus-daemon, leading polkit to mistakenly authorize a request as if it came from a root process. This flaw is particularly dangerous as it can be exploited using standard command-line tools, and the proof of concept provided illustrates how this can be achieved by leveraging certain polkit clients like accountsservice and gnome-control-center. The vulnerability was fixed by the polkit developers following its disclosure, and users are advised to update their systems promptly to mitigate the risk.