PoC for cve-2021-4034
Based on the PoC by https://haxx.in: https://haxx.in/files/blasty-vs-pkexec.c. Probably he's https://github.com/blasty?! I don't know.
With a little help from https://github.com/daimoniac
gcc -Wall cve-2021-4034.c -o cve-2021-4034-exploit
Change variable hosts in asses_CVE-2021-4034.yml to your usecase!
ansible-playbook -i </path/to/inventory.yml> </path/to/playbooks/>asses_CVE-2021-4034.yml
The playbook copies the exploit to the host, executes it and evaluates whoami on multiple occasions and checks for "root" as return value of the exploit.
On hosts where the task Check result of privilege escalation fails a privilge escalation was successful.
In the play recap hosts which don't have failed=0 are vulnerable.
Deep down? I have no idea. Weired memory mashups probably.
What's essential for the operability of this anbible playbook is https://github.com/mike-artemis/cve-2021-4034/blob/main/cve-2021-4034.c#L50. The plain exploit by https://haxx.in/files/blasty-vs-pkexec.c only opens a root-shell and the ansible playbook is stuck in it. Changing the payload of the exploit to
" static char *a_argv[] = { \"bash\", \"-c\", \"whoami\", NULL };\n"
return the current user. The playbook checks the user for privilege escalation and fails the playbook if it happened.