/exploit-CVE-2021-3560

Exploit for CVE-2021-3560 (Polkit) - Local Privilege Escalation

Primary LanguagePython

Exploit for CVE-2021-3560 (Polkit) - Local Privilege Escalation

GitHub CVE Cover

Like this repo? Give us a ⭐!

For educational and authorized security research purposes only.

Exploit Author

@UNICORDev by (@NicPWNs and @Dev-Yeoj)

Vulnerability Description

It was found that polkit could be tricked into bypassing the credential checks for D-Bus requests, elevating the privileges of the requestor to the root user. This flaw could be used by an unprivileged local attacker to, for example, create a new local administrator. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

Exploit Description

Use this exploit on a system with vulnerable Polkit software to add a new user with Sudo privileges. Specify a custom username and/or password as CLI arguments, if desired. Once the new user is created, su to this user and sudo su for full root privileges.

Usage

  python3 exploit-CVE-2021–3560.py [-u <username> -p <password>]
  python3 exploit-CVE-2021–3560.py -h

Options

  -u    Custom username. Provide username to be created. (Optional)
  -p    Custom password. Provide password to be configured for user. (Optional)
  -h    Show this help menu.

Download

Download exploit-CVE-2021-3560.py Here

Exploit Requirements

  • python3
  • accountsservice
  • gnome-control-center
  • openssl
  • sudo

Demo

zmjijO5

User in privileged wheel group.

Tested On

Polkit Version 0.105 (Ubuntu 20.04.2 LTS)

Applies To

Polkit Versions 0.0 - 0.118

Test Environment

apt install accountsservice gnome-control-center openssl sudo

Warning

⚠️ Running this exploit on a system with a GUI may result in a pop-up password prompt that cannot be closed and may require a full system reboot. You may be able to close this pop-up by clicking "Cancel" repeatedly. However, this can fully be avoided if in an SSH or reverse shell session. Simply ssh localhost to avoid this issue.

Credits