关联漏洞
标题:
polkit 缓冲区错误漏洞
(CVE-2021-4034)
描述:polkit是一个在类 Unix操作系统中控制系统范围权限的组件。通过定义和审核权限规则,实现不同优先级进程间的通讯。 polkit 的 pkexec application存在缓冲区错误漏洞,攻击者可利用该漏洞通过精心设计环境变量诱导pkexec执行任意代码。成功执行攻击后,如果目标计算机上没有权限的用户拥有管理权限,攻击可能会导致本地权限升级。
描述
pwnkit
介绍
### CREDITS
VULNERABILITY AUTHOR: https://blog.qualys.com/vulnerabilities-threat-research/2022/01/25/pwnkit-local-privilege-escalation-vulnerability-discovered-in-polkits-pkexec-cve-2021-4034
# Reference
https://github.com/arthepsy/CVE-2021-4034/blob/main/cve-2021-4034-poc.c
https://linux.die.net/man/1/pkexec
man_page/pkexec:
Note that pkexec does no validation of the ARGUMENTS passed to PROGRAM.
In the normal case (where administrator authentication is required
every time pkexec is used), this is not a problem since if the user is
an administrator he might as well just run pkexec bash to get root.
However, if an action is used for which the user can retain
authorization (or if the user is implicitly authorized), such as with
pk-example-frobnicate above, this could be a security hole. Therefore,
as a rule of thumb, programs for which the default required
authorization is changed, should never implicitly trust user input
(e.g. like any other well-written suid program).
by the author David Zeuthen <davidz@redhat.com>
written in may 2009.
# GCONV resources
https://www.gnu.org/software/libc/manual/html_node/glibc-iconv-Implementation.html#:~:text=for%20all%20conversions.-,gconv,use%20of%20the%20conversion%20functions.
https://hugeh0ge.github.io/2019/11/04/Getting-Arbitrary-Code-Execution-from-fopen-s-2nd-Argument/
# PwnFunction
EXPLANATION VIDEO: https://youtu.be/eTcVLqKpZJc
# TO DO
Port the exploit to rust
need to write an explanation for exploit
文件快照
[4.0K] /data/pocs/ce94d59d5e456dffc87a5dc895eafe3c67c023c8
├── [1.2K] pkexec_exploit.c
├── [ 53] pkexec_exploit.rs
└── [1.6K] README.md
0 directories, 3 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。