Share
## https://sploitus.com/exploit?id=1580FEB9-7646-5B20-B433-09C2CC4D4CF6
# CVE-2026-41651 โ€” Pack2TheRoot Analysis

> **PackageKit Local Privilege Escalation (TOCTOU Race Condition)**  
> CVSS v3.1: **8.8 (HIGH)** | CWE-367 | Published: 2026-04-22

---

## ๐Ÿ“Œ ๊ฐœ์š”

๋ณธ ๋ ˆํฌ์ง€ํ† ๋ฆฌ๋Š” 2026๋…„ 4์›” ๊ณต๊ฐœ๋œ PackageKit์˜ ๋กœ์ปฌ ๊ถŒํ•œ ์ƒ์Šน ์ทจ์•ฝ์  **CVE-2026-41651 (Pack2TheRoot)** ์— ๋Œ€ํ•œ ๊ฐœ์ธ ๋ถ„์„ ๋ณด๊ณ ์„œ ๋ฐ ์—ฐ๊ตฌ ์ž๋ฃŒ๋ฅผ ์ •๋ฆฌํ•œ ๊ฒƒ์ž…๋‹ˆ๋‹ค.

| ํ•ญ๋ชฉ | ๋‚ด์šฉ |
|------|------|
| CVE ID | CVE-2026-41651 |
| ์ทจ์•ฝ์  ์ด๋ฆ„ | Pack2TheRoot |
| ์˜ํ–ฅ ์†Œํ”„ํŠธ์›จ์–ด | PackageKit 1.0.2 ~ 1.3.4 |
| ํŒจ์น˜ ๋ฒ„์ „ | PackageKit 1.3.5 |
| ๊ณต๊ฒฉ ์œ ํ˜• | ๋กœ์ปฌ ๊ถŒํ•œ ์ƒ์Šน (LPE) |
| ๋ฐœ๊ฒฌ์ž | Deutsche Telekom Red Team |

---

## ๐Ÿ” ์ทจ์•ฝ์  ์š”์•ฝ

PackageKit์˜ `pk-transaction.c` ๋‚ด 3๊ฐœ์˜ ๋ฒ„๊ทธ๊ฐ€ ๋ณตํ•ฉ์ ์œผ๋กœ ์ž‘์šฉํ•˜์—ฌ, **๋กœ์ปฌ ๋น„๊ถŒํ•œ ์‚ฌ์šฉ์ž๊ฐ€ root ๊ถŒํ•œ์„ ํš๋“**ํ•  ์ˆ˜ ์žˆ๋Š” ์ทจ์•ฝ์ ์ž…๋‹ˆ๋‹ค.

### ๋ฒ„๊ทธ ์ฒด์ธ

```
Bug 1: InstallFiles() ํ˜ธ์ถœ ์‹œ cached_transaction_flags ๋ฌด์กฐ๊ฑด ๋ฎ์–ด์“ฐ๊ธฐ (Line 4036)
  โ†“
Bug 2: ์ƒํƒœ ์ „์ด ๊ฑฐ๋ถ€ ์‹œ ์˜ค์—ผ๋œ ํ”Œ๋ž˜๊ทธ ๋กค๋ฐฑ ์—†์ด ๋ฉ”๋ชจ๋ฆฌ ์ž”์กด (Line 876~881)
  โ†“
Bug 3: pk_transaction_run() ์‹คํ–‰ ์‹œ์ ์— ์˜ค์—ผ๋œ ํ”Œ๋ž˜๊ทธ ์ฝ๊ธฐ (Line 2273~2277)
  โ†“
๊ฒฐ๊ณผ: polkit ์ธ์ฆ ์šฐํšŒ โ†’ root ๊ถŒํ•œ์œผ๋กœ ์ž„์˜ ํŒจํ‚ค์ง€ ์„ค์น˜ โ†’ SUID bash ์ƒ์„ฑ
```

### ๊ณต๊ฒฉ ํ๋ฆ„

1. `InstallFiles(SIMULATE=0x4, dummy)` ๋น„๋™๊ธฐ ์ „์†ก โ†’ polkit ์ธ์ฆ ์šฐํšŒ
2. `InstallFiles(NONE=0x0, payload)` ์ฆ‰์‹œ ์ „์†ก โ†’ ํ”Œ๋ž˜๊ทธ ์˜ค์—ผ (TOCTOU)
3. polkit `NOT_AUTHORIZED` ์ˆ˜์‹  ์‹œ์ ์—” ์ด๋ฏธ ํŒจํ‚ค์ง€ ์„ค์น˜ ์™„๋ฃŒ
4. `/tmp/.suid_bash` ์ƒ์„ฑ โ†’ `euid=0(root)` ํš๋“

---

## ๐Ÿ–ฅ๏ธ ๋ถ„์„ ํ™˜๊ฒฝ

| ํ•ญ๋ชฉ | ๋‚ด์šฉ |
|------|------|
| PoC ์žฌํ˜„ | Docker (Ubuntu 24.04.4 LTS) |
| IoC ์ˆ˜์ง‘ | VirtualBox (Ubuntu 22.04.5 LTS, PackageKit 1.2.5) |
| ์ฝ”๋“œ ๋ถ„์„ | GitHub โ€” PackageKit commit `2149735` (์ทจ์•ฝ) / `76cfb675` (ํŒจ์น˜) |

---

## ๐Ÿ“‚ ํŒŒ์ผ ๊ตฌ์„ฑ

```
CVE-2026-41651-analysis/
โ”œโ”€โ”€ README.md
โ””โ”€โ”€ CVE-2026-41651_๋ถ„์„๋ณด๊ณ ์„œ.docx   # ์ƒ์„ธ ๋ถ„์„ ๋ณด๊ณ ์„œ
```

---

## ๐Ÿ“‹ ์นจํ•ด ์ง€ํ‘œ (IoC)

๊ณต๊ฒฉ ์‹œ๋„ ์‹œ ์•„๋ž˜ ๋กœ๊ทธ ํŒจํ„ด์ด ์‹œ์Šคํ…œ์— ๊ธฐ๋ก๋ฉ๋‹ˆ๋‹ค.

```bash
# ํƒ์ง€ ๋ช…๋ น์–ด
journalctl -u packagekit | grep -i "assertion\|emitted\|failed"
```

```
PackageKit[PID]: pk_backend_job_emit: assertion 'PK_IS_BACKEND_JOB(job)' failed
PackageKit[PID]: g_signal_emit_valist: assertion 'G_TYPE_CHECK_INSTANCE(instance)' failed
PackageKit[PID]: GLib-Object:CRITICAL: g_object_unref: assertion 'G_IS_OBJECT(object)' failed
PackageKit[PID]: backend job failed
PackageKit[PID]: emit transaction failed
PackageKit[PID]: daemon stop    โ† ํฌ๋ž˜์‹œ
PackageKit[PID]: daemon start   โ† ์ž๋™ ์žฌ์‹œ์ž‘
```

```bash
# SUID ํŒŒ์ผ ํƒ์ง€
find /tmp -perm -4000 -type f 2>/dev/null
# โ†’ /tmp/.suid_bash ์กด์žฌ ์‹œ ์ฆ‰๊ฐ ๋Œ€์‘ ํ•„์š”
```

---

## ๐Ÿ›ก๏ธ ๋Œ€์‘ ๋ฐฉ์•ˆ

### ํŒจ์น˜ ์ ์šฉ (๊ถŒ์žฅ)

```bash
# Ubuntu / Debian
sudo apt update && sudo apt upgrade packagekit

# RHEL / Fedora
sudo dnf update PackageKit
```

### ์ทจ์•ฝ ์—ฌ๋ถ€ ํ™•์ธ

```bash
# ๋ฒ„์ „ ํ™•์ธ (1.3.4 ์ดํ•˜๋ฉด ์ทจ์•ฝ)
dpkg -l | grep -i packagekit          # Debian/Ubuntu
rpm -qa | grep -i PackageKit          # RHEL/Fedora

# ๋ฐ๋ชฌ ์ƒํƒœ ํ™•์ธ
systemctl status packagekit
```

### ์ž„์‹œ ์™„ํ™” (ํŒจ์น˜ ์ „)

```bash
# PackageKit ๋น„ํ™œ์„ฑํ™”
sudo systemctl disable --now packagekit
```

> โš ๏ธ ๋น„ํ™œ์„ฑํ™” ์‹œ GNOME Software ๋“ฑ GUI ํŒจํ‚ค์ง€ ๊ด€๋ฆฌ ๋„๊ตฌ ์‚ฌ์šฉ ๋ถˆ๊ฐ€

---

## ๐Ÿ“… ํƒ€์ž„๋ผ์ธ

| ๋‚ ์งœ | ๋‚ด์šฉ |
|------|------|
| 2026-04-08 | Deutsche Telekom Red Team โ†’ Red Hat/PackageKit ์ตœ์ดˆ ๋ณด๊ณ  |
| 2026-04-10 | PackageKit ๋ฉ”์ธํ…Œ์ด๋„ˆ ์ ‘์ˆ˜ ๋ฐ ์žฌํ˜„ ํ™•์ธ |
| 2026-04-13 | ๋น„๊ณต๊ฐœ ํŒจ์น˜ ์ดˆ์•ˆ ์ž‘์„ฑ |
| 2026-04-15 | Canonical์— ์ทจ์•ฝ์  ๊ณต์œ  |
| 2026-04-19 | ๋ฐฐํฌํŒ ๋ฒค๋” ๋น„๊ณต๊ฐœ ํ†ต๋ณด |
| 2026-04-22 | PackageKit 1.3.5 ๋ฆด๋ฆฌ์ฆˆ, CVE ํ• ๋‹น, ๊ณต๊ฐœ ๊ณต์‹œ |

---

## ๐Ÿ”— ์ฐธ๊ณ  ์ž๋ฃŒ

- [CVE ๊ณต์‹ ํŽ˜์ด์ง€](https://vulners.com/cve/CVE-2026-41651)
- [GitHub Security Advisory](https://github.com/PackageKit/PackageKit/security/advisories/GHSA-f55j-vvr9-69xv)
- [Deutsche Telekom ์›๋ฌธ ์–ด๋“œ๋ฐ”์ด์ €๋ฆฌ](https://github.security.telekom.com/2026/04/pack2theroot-linux-local-privilege-escalation.html)
- [NVD ์ƒ์„ธ](https://nvd.nist.gov/vuln/detail/CVE-2026-41651)
- [ํŒจ์น˜ ์ปค๋ฐ‹ (76cfb675)](https://github.com/PackageKit/PackageKit/commit/76cfb675fb31acc3ad5595d4380bfff56d2a8697)
- [PoC ๋ ˆํฌ์ง€ํ† ๋ฆฌ (Vozec)](https://github.com/Vozec/CVE-2026-41651)

---

## โš ๏ธ ๋ฉด์ฑ… ์กฐํ•ญ

๋ณธ ๋ ˆํฌ์ง€ํ† ๋ฆฌ๋Š” **๋ณด์•ˆ ์—ฐ๊ตฌ ๋ฐ ํ•™์Šต ๋ชฉ์ **์œผ๋กœ ์ž‘์„ฑ๋˜์—ˆ์Šต๋‹ˆ๋‹ค.  
์ทจ์•ฝ์  ์•…์šฉ ๋ฐ ๋ฌด๋‹จ ์‹œ์Šคํ…œ ์ ‘๊ทผ์€ ๋ฒ•์  ์ฒ˜๋ฒŒ์„ ๋ฐ›์„ ์ˆ˜ ์žˆ์œผ๋ฉฐ, ๋ชจ๋“  ํ…Œ์ŠคํŠธ๋Š” ๋ณธ์ธ ์†Œ์œ ์˜ ๊ฒฉ๋ฆฌ๋œ ํ™˜๊ฒฝ์—์„œ ์ˆ˜ํ–‰ํ•˜์˜€์Šต๋‹ˆ๋‹ค.