POC详情: 9c5d3891d40dcc5f78d47ec7d125d1d4bfdc7dd7

来源
https://github.com/iSTAR-Lab/CVE-2021-3560_PoC
关联漏洞
标题: polkit 代码问题漏洞 (CVE-2021-3560)
描述:polkit是一个在类 Unix操作系统中控制系统范围权限的组件。通过定义和审核权限规则,实现不同优先级进程间的通讯。 polkit 存在代码问题漏洞,该漏洞源于当请求进程在调用polkit_system_bus_name_get_creds_sync之前断开与dbus-daemon的连接时,该进程无法获得进程的唯一uid和pid,也无法验证请求进程的特权。
描述
polkit exploit script v1.0
介绍
# CVE-2021-3560_PoC
polkit exploit script

Automated script for escalating to root using polkit service

# Requirements
- SSH server (this is to avoid having authentication popups through GNOME)
- Vulnerable Linux distribution:
<table>
  <tbody>
    <tr>
      <th>Distribution</th>
      <th>Vulnerable?</th>
    </tr>
    <tr>
      <td>RHEL 7</td>
      <td>No</td>
    </tr>
    <tr>
      <td>RHEL 8</td>
      <td>
        <a
          href="https://access.redhat.com/security/cve/CVE-2021-3560"
          rel="noopener"
          target="_blank"
          >Yes</a
        >
      </td>
    </tr>
    <tr>
      <td>Fedora 20 (or earlier)</td>
      <td>No</td>
    </tr>
    <tr>
      <td>Fedora 21 (or later)</td>
      <td>
        <a
          href="https://bugzilla.redhat.com/show_bug.cgi?id=1967424"
          rel="noopener"
          target="_blank"
          >Yes</a
        >
      </td>
    </tr>
    <tr>
      <td>Debian 10 (“buster”)</td>
      <td>No</td>
    </tr>
    <tr>
      <td>Debian testing (“bullseye”)</td>
      <td>
        <a
          href="https://security-tracker.debian.org/tracker/CVE-2021-3560"
          rel="noopener"
          target="_blank"
          >Yes</a
        >
      </td>
    </tr>
    <tr>
      <td>Ubuntu 18.04</td>
      <td>No</td>
    </tr>
    <tr>
      <td>Ubuntu 20.04</td>
      <td>
        <a
          href="https://ubuntu.com/security/CVE-2021-3560"
          rel="noopener"
          target="_blank"
          >Yes</a
        >
      </td>
    </tr>
  </tbody>
</table>

# Usage Guide
```bash
ssh localhost
git clone https://github.com/tyleraharrison/CVE-2021-3560_PoC.git
cd CVE-2021-3560_PoC
./polkitRoot.sh
```

# Known Issues
- Solution to needing to brute-force is poorly written recursion
- Line-endings may need to be changed with `dos2unix polkitRoot.sh` because GitHub changed them to CRLF and Bash does not like that

Tested in Ubuntu 20.04

Reference: https://github.blog/2021-06-10-privilege-escalation-polkit-root-on-linux-with-bug/
文件快照

 [4.0K]  /data/pocs/9c5d3891d40dcc5f78d47ec7d125d1d4bfdc7dd7
├── [2.9K]  polkitRoot.sh
└── [2.0K]  README.md

0 directories, 2 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。