Pardus Linux LPE Flaw Grants Silent Root Access Local Privilege

A critical vulnerability chain impacting Pardus Linux has been disclosed, enabling local users to achieve full root privileges without authentication.

The issue, assigned a CVSS v3.1 score of 9.3, impacts the pardus-update package, a core component responsible for system updates in the Debian-based distribution maintained by TÜBİTAK.

Pardus is widely deployed across government institutions, educational environments, and enterprise systems in Turkey, making this flaw particularly significant in shared and multi-user environments.

Security researcher Çağrı Eser (0xc4gr1) identified that the issue is not a single bug, but a combination of three weaknesses that together enable complete system compromise.

These include a PolicyKit (Polkit) misconfiguration, a carriage return-line feed (CRLF) injection flaw, and an untrusted file path vulnerability.

Pardus Linux Privilege Escalation Flaw

The first issue lies in the Polkit policy configuration. Critical update actions, such as aptupdateaction and autoaptupgradeaction, were configured with “allow_any=yes,” allowing any user to execute privileged operations without authentication.

This effectively grants passwordless root execution of backend Python scripts via pkexec.

The second flaw exists in the SystemSettingsWrite.py script, which writes user-controlled input into a configuration file.

While newline characters are filtered, carriage return characters are not. This allows attackers to inject arbitrary configuration entries into /etc/pardus/pardus-update.conf.

By crafting a malicious input, attackers can insert a custom APT source path pointing to a file under their control.

The third issue arises in AutoAptUpgrade.py, which processes the manipulated configuration.

The script blindly copies attacker-supplied APT source files into /etc/apt/sources.list.d/ without validation. This enables attackers to introduce a malicious repository and trigger package installation as root.

In a proof-of-concept exploit, an attacker creates a rogue APT repository containing a malicious .deb package.

During installation, the package sets the SUID bit on /bin/bash, allowing privilege escalation.

Once executed, the attacker gains an instant root shell using “/bin/bash -p,” achieving full system compromise.

The impact is severe. Attackers gain unrestricted access to sensitive files such as /etc/shadow, can install persistent backdoors, modify system binaries, and fully control the system.

The vulnerability requires only local access and no user interaction, making it highly exploitable in shared systems or after initial compromise.

To mitigate the issue, administrators must apply three key fixes. First, update the Polkit policy to require administrator authentication instead of allowing unrestricted access.

Second, sanitize all user input in SystemSettingsWrite.py to remove carriage returns and newlines.

Third, restrict APT source file paths in AutoAptUpgrade.py to trusted directories and block world-writable locations.

According to a report by nullsecurityx, the vulnerability chain demonstrates how multiple seemingly minor low-level misconfigurations can escalate into a critical security compromise.

Organizations using Pardus Linux are strongly advised to implement these fixes immediately to prevent exploitation.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.