polkit exploit script v1.0# CVE-2021-3560_PoC
polkit exploit script
Automated script for escalating to root using polkit service
# Requirements
- SSH server (this is to avoid having authentication popups through GNOME)
- Vulnerable Linux distribution:
<table>
<tbody>
<tr>
<th>Distribution</th>
<th>Vulnerable?</th>
</tr>
<tr>
<td>RHEL 7</td>
<td>No</td>
</tr>
<tr>
<td>RHEL 8</td>
<td>
<a
href="https://access.redhat.com/security/cve/CVE-2021-3560"
rel="noopener"
target="_blank"
>Yes</a
>
</td>
</tr>
<tr>
<td>Fedora 20 (or earlier)</td>
<td>No</td>
</tr>
<tr>
<td>Fedora 21 (or later)</td>
<td>
<a
href="https://bugzilla.redhat.com/show_bug.cgi?id=1967424"
rel="noopener"
target="_blank"
>Yes</a
>
</td>
</tr>
<tr>
<td>Debian 10 (“buster”)</td>
<td>No</td>
</tr>
<tr>
<td>Debian testing (“bullseye”)</td>
<td>
<a
href="https://security-tracker.debian.org/tracker/CVE-2021-3560"
rel="noopener"
target="_blank"
>Yes</a
>
</td>
</tr>
<tr>
<td>Ubuntu 18.04</td>
<td>No</td>
</tr>
<tr>
<td>Ubuntu 20.04</td>
<td>
<a
href="https://ubuntu.com/security/CVE-2021-3560"
rel="noopener"
target="_blank"
>Yes</a
>
</td>
</tr>
</tbody>
</table>
# Usage Guide
```bash
ssh localhost
git clone https://github.com/tyleraharrison/CVE-2021-3560_PoC.git
cd CVE-2021-3560_PoC
./polkitRoot.sh
```
# Known Issues
- Solution to needing to brute-force is poorly written recursion
- Line-endings may need to be changed with `dos2unix polkitRoot.sh` because GitHub changed them to CRLF and Bash does not like that
Tested in Ubuntu 20.04
Reference: https://github.blog/2021-06-10-privilege-escalation-polkit-root-on-linux-with-bug/
登录后查看神龙缓存的 POC 文件快照
登录查看