Apptainer Blocked the SUID Based Exploit

Gregory Kurtzer playing with #pkexec vulnerability and trying to see what happens when trying to execute it through an Apptainer (Singularity) container.


  • Gregory Kurtzer, Founder of Rocky Linux, Singularity/Apptainer, Warewulf, CentOS, and CEO of CIQ

Note: This transcript was created using speech recognition software. While it has been reviewed by human transcribers, it may contain errors.

Full Webinar Transcript:

Gregory Kurtzer:

Hello. So I was playing with the recent vulnerability that was just announced this morning around Pkexec in Polkit. And I was curious; is this vulnerability susceptible when running on a system through an Apptainer or a Singularity container, and so I decided to test it and document my findings. So here's my host system. You can see I'm running an 8.4 version of Rocky Linux. If I look at what version of Polkit is installed, you'll see it is a vulnerable version and you can see I'm running as me. In this directory I have the exploit code already compiled. And if I execute that exploit code, I am now root. It was pretty easy to get root.

Now what I'm curious about is, does this work when I'm running through an Apptainer container? I've created a Rocky container using this recipe that I'm taking out of Docker Hub. I'm taking a default Rocky container and I'm installing these two packages in there: Polkit and Polkit-libs. I'm using this method to ensure that I am getting the vulnerable versions of these packages. And then I built that and here is the container file. If you are not familiar with Apptainer or Singularity this container system builds single file based containers. Inside that single executable file, I have my entire container and I can execute that file directly, or I can use Apptainer to get an active shell inside of that container, which is what I'm going to do.

Now you can see I'm sitting inside of this container, and you can see my host was running Rocky Linux 8.4. Now I'm sitting in 8.5 inside of this container. I did install as you saw in the previous recipe file that Polkit is installed. It is a vulnerable version of Polkit, which means I should be able to run this exploit. And I should show you, I am me. I am not root inside of this container. If I run this payload in the current directory which by the way, again, is the current directory where I started. If I run the payload here, I should end up with a root prompt, but I'm not. It's actually blocking the privilege escalation going through Pkexec.

Pkexec doesn't exactly know why it's not running with the appropriate privileges. It just gives a default error message saying that Pkexec must be installed with SUID root. Let's just confirm that it actually is, and it is actually installed with SUID root, but the exploit did not work. So if you do have users on your systems that are using Apptainer or Singularity this exploit is not going to be vulnerable through this container run time. That was the gist of what I wanted to show. If you have any questions, please feel free to reach out to myself, the Apptainer community, or my company CIQ. Thank you.