关联漏洞
标题:
polkit 缓冲区错误漏洞
(CVE-2021-4034)
描述:polkit是一个在类 Unix操作系统中控制系统范围权限的组件。通过定义和审核权限规则,实现不同优先级进程间的通讯。 polkit 的 pkexec application存在缓冲区错误漏洞,攻击者可利用该漏洞通过精心设计环境变量诱导pkexec执行任意代码。成功执行攻击后,如果目标计算机上没有权限的用户拥有管理权限,攻击可能会导致本地权限升级。
描述
CVE-2021-4034 POC exploit
介绍
## pwnkit (CVE-2021-4034) Privilege Escalation exploit sample
This repository contains an exploit of CVE-2021-4034, a local
privilege escalation in `pkexec`. This implementation is based on that
described in the [CVE
disclosure](https://marc.info/?l=oss-security&m=164313339424946&w=2), which you should read.
If this works on your machine, it means you are vulnerable. To address
this, either update polkit to a patched version, or disable the `setuid`
bit on `pkexec` with the following:
```
$ sudo chmod a-s $(which pkexec)
```
This exploit is dangerously easy to write based on the information in
the disclosure, so patch all of your machines ASAP.
### Using this repo
To run this exploit, simply run `make` in the top level
directory. This will:
- compile `exploit.c`, which runs the exploit
- compile `gconv/badconv.c`, which contains the payload
- Run `./exploit`
If this drops you into a shell as root, your system is vulnerable.
If you get the following output, you succesfully mitigated the bug
using the above `chmod` command:
```
Running exploit...
GLib: Cannot convert message: Could not open converter from “UTF-8” to “ZT”
pkexec must be setuid root
```
If you get the `pkexec` help message as the output, your system was
likely already patched.
This implementation _should_ work on any vulnerable systems, including
Fedora 34+ and some versions of OpenSUSE which seem to not be
vulnerable to some implementations. Specifically, this will work even
if your system has a version of polkit which disables GVFS ([added
here](https://gitlab.freedesktop.org/polkit/polkit/-/commit/daf3d5c2d15466a267221fcb099c59c870098e03)). That
being said, I have no formal experience with computer security and it
may report that your system is patched, even if it is still vulnerable
to this or other similar exploits. As such, you should make sure that
you keep your systems updated, listen to the people who know what they
are talking about, and always eat your vegetables.
文件快照
[4.0K] /data/pocs/7181a838d67158ed4168eeaf2ac807a18d522464
├── [ 848] exploit.c
├── [4.0K] gconv
│ ├── [ 807] badconv.c
│ ├── [ 81] gconv-modules
│ └── [ 195] Makefile
├── [4.0K] GCONV_PATH=.
│ └── [ 0] gconv
├── [ 261] Makefile
└── [1.9K] README.md
2 directories, 7 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。