feat: detect PackageKit Pack2TheRoot (CVE-2026-41651)

[sammonsempes]

Summary

Adds detection for Pack2TheRoot (CVE-2026-41651, CVSS 8.8), a cross-distro local privilege escalation in the PackageKit daemon, publicly disclosed on 2026-04-22 by Deutsche Telekom's Red Team in coordination with distribution maintainers.

Any unprivileged local user can exploit the flaw to install or remove system packages without authorization, leading to full root access on default installations of several major distributions.

Vulnerability details

• CVE: CVE-2026-41651
• Advisory: https://github.security.telekom.com/2026/04/pack2theroot-linux-local-privilege-escalation.html
• GHSA: GHSA-f55j-vvr9-69xv
• Affected versions: PackageKit >= 1.0.2 and <= 1.3.4 (1.0.2 was released ~12 years ago, so the attack surface is broad)
• Fixed in: PackageKit 1.3.5 + distro backports
• Confirmed vulnerable in default installs:
  • Ubuntu Desktop 18.04, 24.04.4 LTS, 26.04 LTS beta
  • Ubuntu Server 22.04 – 24.04 LTS
  • Debian Desktop Trixie 13.4
  • RockyLinux Desktop 10.1
  • Fedora 43 Desktop & Server
  • Likely any host with Cockpit installed (incl. RHEL)

What the check does

The new module linPEAS/builder/linpeas_parts/7_software_information/PackageKit_Pack2TheRoot.sh:

1. Detects PackageKit version via dpkg -l (Debian/Ubuntu) or rpm -qa (RHEL/Fedora/Rocky), stripping epoch and release suffixes.
2. Compares the version against the vulnerable range [1.0.2, 1.3.4] using sort -V (POSIX-safe).
3. Probes daemon reachability — PackageKit is often D-Bus activated rather than running persistently, so the check looks at:
   • systemctl status packagekit
   • presence of pkcon / pkmon binaries (sufficient to trigger activation)
4. Scans for IOC — the advisory documents that successful exploitation leaves an emitted_finished assertion failure crash in journalctl -u packagekit. The module counts these and flags them as possible prior exploitation.

Output color coding

Following the existing conventions:

• SED_RED_YELLOW → confirmed vulnerable version, or IOC found (95% PE vector)
• SED_RED → daemon is reachable from the current session
• SED_GREEN → version out of range, or no IOC found

Module conventions

The file follows the same structure as 6_users_information/10_Pkexec.sh and 1_system_information/2_Sudo_version.sh:

• Full metadata header (parsed by linpeasBuilder.py) with Title, ID, Mitre, Functions Used, Generated Global Variables, Fat linpeas, Small linpeas
• MITRE tag: T1068 (Exploitation for Privilege Escalation)
• Uses only existing helpers: print_2title, print_3title, print_info, echo_not_found
• Included in --small builds (small linpeas: 1), not fat (fat linpeas: 0) — no third-party binary bundled

Testing

Built and tested locally with:

# Build full linpeas
python3 -m builder.linpeas_builder --all-no-fat --output /tmp/linpeas.sh
/tmp/linpeas.sh -o software_information

# Isolated version with only this check
cat > /tmp/test_pack2theroot.sh <<'EOF'
#!/bin/bash
# Stubs des helpers linPEAS
E="E"
SED_RED="\x1b[1;31m&\x1b[0m"
SED_GREEN="\x1b[1;32m&\x1b[0m"
SED_RED_YELLOW="\x1b[1;31;103m&\x1b[0m"
SED_LIGHT_CYAN="\x1b[1;96m&\x1b[0m"

print_2title() { echo ""; echo "╔══════════╣ $1"; }
print_3title() { echo "── $1"; }
print_info()   { echo "  ╚ $1"; }
echo_not_found() { echo "  $1 not found"; }


source ./PackageKit_Pack2TheRoot.sh
EOF
chmod +x /tmp/test_pack2theroot.sh
bash /tmp/test_pack2theroot.sh

Verified behavior on:

• Ubuntu 24.04 LTS (vulnerable, unpatched) → flagged red/yellow
• Fedora 43 (vulnerable) → flagged red/yellow
• System without PackageKit → clean Not Found
• System with PackageKit 1.3.5+ → green "not in vulnerable range"
• Shell syntax: bash -n passes

Checklist

• New module file placed under the correct section (7_software_information)
• Metadata header complete and parseable by the builder
• Uses existing helper functions and color variables
• No new external dependencies introduced
• Graceful fallback when dpkg/rpm/journalctl are missing
• Shell syntax validated with bash -n
• Tested against at least one vulnerable distro

References

• Advisory: https://github.security.telekom.com/2026/04/pack2theroot-linux-local-privilege-escalation.html
• Debian tracker: https://security-tracker.debian.org/tracker/CVE-2026-41651
• Ubuntu tracker: https://bugs.launchpad.net/bugs/cve/2026-41651
• Fedora build: https://koji.fedoraproject.org/koji/packageinfo?packageID=5206