Exploit 2021 - Baget

Resource: Baget exploit (2021)

6.1 Logs

Look for:

• pkexec executed with zero arguments from non-root shells.
• Unusual GCONV_PATH or CHARSET environment variables.
• Unexpected child processes of pkexec (e.g., /bin/bash).

4. Impact Assessment

| Factor | Assessment | |--------|-------------| | Privileges required | Low (any local user) | | User interaction | None | | Complexity | Low (scriptable, reliable) | | Confidentiality impact | High (read any file) | | Integrity impact | High (modify system) | | Availability impact | High (full system compromise) | baget exploit 2021

A successful exploit allows:

• Installing backdoors, rootkits.
• Exfiltrating sensitive data (/etc/shadow, SSH keys, etc.).
• Disabling security tools (SELinux, AppArmor bypass possible via root).
• Pivoting to other hosts.

Indicators of compromise (IoCs)

• Unexpected .php files in upload directories (e.g., admin/uploads, assets/img, user images).
• Web requests to upload endpoints such as /classes/Users.php?f=save or /classes/SystemSettings.php?f=update_settings followed by access to uploaded files.
• Access logs showing GET/POST to newly created files with suspicious query parameters (e.g., ?cmd=).

Immediate mitigations (short-term)

• Block public access to upload directories (deny execute permissions and/or serve them from outside webroot).
• Add server-side validation: strict allowlist of file types, verify MIME content, validate extensions, sanitize filenames.
• Disable PHP execution in upload directories (e.g., with webserver config: deny .php execution or place uploads on a separate domain/subdomain with no PHP handler).
• If compromise confirmed: take site offline, preserve logs, rotate credentials, remove malicious files, and rebuild from known-good backups.

References

1. NVD – CVE-2021-4034: https://nvd.nist.gov/vuln/detail/CVE-2021-4034
2. Qualys Security Advisory – PwnKit: https://blog.qualys.com/vulnerabilities-threat-research/2022/01/25/pwnkit-local-privilege-escalation-vulnerability-discovered-in-polkits-pkexec-cve-2021-4034
3. Polkit Patch Commit: https://gitlab.freedesktop.org/polkit/polkit/-/commit/7e3526d6f9e2dfb46ad7b637582cf9b7d60e1cdf

End of Report