PwnKit: Local Privilege Escalation Vulnerability Discovered in polkit’s pkexec (CVE-2021–4034)
The Qualys Research Team has discovered a memory corruption vulnerability in polkit’s pkexec, a SUID-root program that is installed by default on every major Linux distribution. This easily exploited vulnerability allows any unprivileged user to gain full root privileges on a vulnerable host by exploiting this vulnerability in its default configuration.
"Polkit (formerly PolicyKit) is a component for controlling system-wide
privileges in Unix-like operating systems. It provides an organized way
for non-privileged processes to communicate with privileged ones. [...]
It is also possible to use polkit to execute commands with elevated
privileges using the command pkexec followed by the command intended to
be executed (with root permission)." (Wikipedia)
You can read more on Qualys’ advisory.
Exploit Proof of Concept
A few hours after the disclosure,
arthepsy already published a working exploit in GitHub.
I have tested the exploit and found it working on a default installation of Kali Linux. However, it needs
gcc installed to make it work.
For machines that don’t have
gcc installed, you can separately compile the Shared Object and the main exploit.
Compile this using
gcc pwnkit.c -o pwnkit.so -shared -fPIC. The shared object
pwnkit.so must be inside a folder named
Compile this using
gcc cve-2021–4034-poc.c -o cve-2021–4034-poc.
The directory structure must look like this:
gengstah@gengstah:~$ ls -lR | grep "cve\|pwnkit"
-rwxr-x--- 1 gengstah gengstah 16376 Jan 26 22:25 cve-2021-4034-poc
-rw-r----- 1 gengstah gengstah 1268 Jan 26 22:24 cve-2021-4034-poc.c
drwxr-x--- 2 gengstah gengstah 4096 Jan 26 22:35 pwnkit
-rw-r----- 1 gengstah gengstah 275 Jan 26 22:34 pwnkit.c
-rwxr-x--- 1 gengstah gengstah 15688 Jan 26 22:35 pwnkit.so
Separating the shared object from the main exploit should have the same effect.