PwnKit: Local Privilege Escalation Vulnerability Discovered in polkit’s pkexec (CVE-2021–4034)

Summary

The Qualys Research Team has discovered a memory corruption vulnerability in polkit’s pkexec, a SUID-root program that is installed by default on every major Linux distribution. This easily exploited vulnerability allows any unprivileged user to gain full root privileges on a vulnerable host by exploiting this vulnerability in its default configuration.

"Polkit (formerly PolicyKit) is a component for controlling system-wide
privileges in Unix-like operating systems. It provides an organized way
for non-privileged processes to communicate with privileged ones. [...]
It is also possible to use polkit to execute commands with elevated
privileges using the command pkexec followed by the command intended to
be executed (with root permission)." (Wikipedia)

You can read more on Qualys’ advisory.

Exploit Proof of Concept

A few hours after the disclosure, arthepsy already published a working exploit in GitHub.

I have tested the exploit and found it working on a default installation of Kali Linux. However, it needs gcc installed to make it work.

For machines that don’t have gcc installed, you can separately compile the Shared Object and the main exploit.

pwnkit.c

Compile this using gcc pwnkit.c -o pwnkit.so -shared -fPIC. The shared object pwnkit.so must be inside a folder named pwnkit.

cve-2021–4034-poc.c

Compile this using gcc cve-2021–4034-poc.c -o cve-2021–4034-poc.

The directory structure must look like this:

gengstah@gengstah:~$ ls -lR | grep "cve\|pwnkit"
-rwxr-x--- 1 gengstah gengstah 16376 Jan 26 22:25 cve-2021-4034-poc
-rw-r----- 1 gengstah gengstah 1268 Jan 26 22:24 cve-2021-4034-poc.c
drwxr-x--- 2 gengstah gengstah 4096 Jan 26 22:35 pwnkit
./pwnkit:
-rw-r----- 1 gengstah gengstah 275 Jan 26 22:34 pwnkit.c
-rwxr-x--- 1 gengstah gengstah 15688 Jan 26 22:35 pwnkit.so

Separating the shared object from the main exploit should have the same effect.

--

--

--

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Realbox Airdrop instan 50 REB token free potentials project

How Does CloudFlare Help to Boost Website Performance

how i got 200$ with an out of the box open redirect vulnerability

Defining the Health of System Security and Well-being

Practical and Easy Ways to Help Protect Your Business From the Hidden Risks of Cybersecurity…

My speech in the Russian Parliament will take place in June

Comparing 3 Password Managers: Google Smart Lock, LastPass and KeeWeb

#Nasdex collaborates with #Anyswap Network making $NSDX available across #Polygon, #BSC, #Ethereum…

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Gerard De Las Armas

Gerard De Las Armas

More from Medium

HTB: Cyber Apocalypse 22 — How the columns have turned Writeup

Cyber Apocalypse banner

Win Log Installation

SnD_AMSI — Search and Destroy AMSI Remotely — Attack and Detection

Cryptomator 1.6.5 Dylib Injection