POC详情: ec250c21971d29bd18a410dd9012653ee18b0166

来源
https://github.com/deoxykev/CVE-2021-4034-Rust
关联漏洞
标题: polkit 缓冲区错误漏洞 (CVE-2021-4034)
描述:polkit是一个在类 Unix操作系统中控制系统范围权限的组件。通过定义和审核权限规则,实现不同优先级进程间的通讯。 polkit 的 pkexec application存在缓冲区错误漏洞,攻击者可利用该漏洞通过精心设计环境变量诱导pkexec执行任意代码。成功执行攻击后,如果目标计算机上没有权限的用户拥有管理权限,攻击可能会导致本地权限升级。
描述
Linux LPE using polkit-1 written in Rust.
介绍
# CVE-2021-4034-Rust
Linux LPE using polkit-1 written in Rust. 

## Build instructions
[Install rust if you haven't already](https://rustup.rs/)
```
git clone https://github.com/deoxykev/CVE-2021-4034-Rust
cd CVE-2021-4034-Rust
rustup target add x86_64-unknown-linux-musl
cargo build --release
```

## Vuln Check
```
# check for pkexec
which pkexec || echo not vuln

# check suid permissions on pkexec
stat -c '%a' $(which pkexec) | grep -q 4755 || echo not vuln

# check patch date on pkexec
stat -c '%y' $(which pkexec)
# dates before 2022-01-12 may be unpatched & vulnerable
```

## Opsec considerations
- Writes exploit files to /dev/shm (ramdisk)
  - delete randomly generated directory afterwards
  - can be detected on file creation
  - shellcode is hardcoded, consider replacing with a polymorphic payload
    (ie: msfvenom output)
- syscall to pkexec with null args can be detected
- pkexec logs are visible in `/var/log/auth.log`
```
pkexec[121401]: user: The value for the SHELL variable was not found the /etc/shells file [USER=root] [TTY=/dev/pts/8] [CWD=/dev/shm/YWdQYnE3TSNlwNKMXEwYcGRVmdYipb] [COMMAND=GCONV_PATH=./tSq82ptZaDiyXWZz0BOybdH9fINqCG PATH=GCONV_PATH=. CHARSET=mgELtKAB9sXo0a9KJk00NNO0wa4x0J SHELL=mgELtKAB9sXo0a9KJk00NNO0wa4x0J]
```


## Sigma Rule Detection
- https://github.com/SigmaHQ/sigma/blob/master/rules/linux/auditd/lnx_auditd_cve_2021_4034.yml

# Credits
vuln disclosure - qualsys research team - https://blog.qualys.com/vulnerabilities-threat-research/2022/01/25/pwnkit-local-privilege-escalation-vulnerability-discovered-in-polkits-pkexec-cve-2021-4034
shellcode - @johkrupp - https://saarsec.rocks/2020/05/14/golf.so.html
文件快照

 [4.0K]  /data/pocs/ec250c21971d29bd18a410dd9012653ee18b0166
├── [3.2K]  Cargo.lock
├── [ 340]  Cargo.toml
├── [6.9K]  LICENSE
├── [1.6K]  README.md
└── [4.0K]  src
    └── [3.6K]  main.rs

1 directory, 5 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。