关联漏洞
标题:
polkit 代码问题漏洞
(CVE-2021-3560)
描述:polkit是一个在类 Unix操作系统中控制系统范围权限的组件。通过定义和审核权限规则,实现不同优先级进程间的通讯。 polkit 存在代码问题漏洞,该漏洞源于当请求进程在调用polkit_system_bus_name_get_creds_sync之前断开与dbus-daemon的连接时,该进程无法获得进程的唯一uid和pid,也无法验证请求进程的特权。
描述
Exploit for CVE-2021-3560 (Polkit) - Local Privilege Escalation
介绍
# Exploit for CVE-2021-3560 (Polkit) - Local Privilege Escalation
**Like this repo? Give us a ⭐!**
*For educational and authorized security research purposes only.*
## Exploit Author
[@UNICORDev](https://unicord.dev) by ([@NicPWNs](https://github.com/NicPWNs) and [@Dev-Yeoj](https://github.com/Dev-Yeoj))
## Vulnerability Description
It was found that polkit could be tricked into bypassing the credential checks for D-Bus requests, elevating the privileges of the requestor to the root user. This flaw could be used by an unprivileged local attacker to, for example, create a new local administrator. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
## Exploit Description
Use this exploit on a system with vulnerable Polkit software to add a new user with Sudo privileges. Specify a custom username and/or password as CLI arguments, if desired. Once the new user is created, ```su``` to this user and ```sudo su``` for full root privileges.
## Usage
```bash
python3 exploit-CVE-2021–3560.py [-u <username> -p <password>]
python3 exploit-CVE-2021–3560.py -h
```
## Options
```bash
-u Custom username. Provide username to be created. (Optional)
-p Custom password. Provide password to be configured for user. (Optional)
-h Show this help menu.
```
## Download
[Download exploit-CVE-2021-3560.py Here](https://raw.githubusercontent.com/UNICORDev/exploit-CVE-2021-3560/main/exploit-CVE-2021-3560.py)
## Exploit Requirements
- python3
- accountsservice
- gnome-control-center
- openssl
- sudo
## Demo
*User in privileged ```wheel``` group.*
## Tested On
Polkit Version 0.105 (Ubuntu 20.04.2 LTS)
## Applies To
Polkit Versions 0.0 - 0.118
## Test Environment
```bash
apt install accountsservice gnome-control-center openssl sudo
```
## Warning
⚠️ Running this exploit on a system with a GUI may result in a pop-up password prompt that cannot be closed and may require a full system reboot. You may be able to close this pop-up by clicking "Cancel" repeatedly. However, this can fully be avoided if in an SSH or reverse shell session. Simply ```ssh localhost``` to avoid this issue.
## Credits
- https://nvd.nist.gov/vuln/detail/CVE-2021-3560
- https://app.hackthebox.com/machines/Paper
- https://github.blog/2021-06-10-privilege-escalation-polkit-root-on-linux-with-bug/
- https://github.com/Almorabea/Polkit-exploit/blob/main/CVE-2021-3560.py
文件快照
[4.0K] /data/pocs/a65c359392ea052a076f0d022c856a77907a15c3
├── [ 357] Dockerfile
├── [7.3K] exploit-CVE-2021-3560.py
└── [2.6K] README.md
0 directories, 3 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。