Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2021-4034 PoC — polkit 缓冲区错误漏洞

Source
https://github.com/An00bRektn/CVE-2021-4034
Associated Vulnerability
Title:polkit 缓冲区错误漏洞 (CVE-2021-4034)
Description:A local privilege escalation vulnerability was found on polkit's pkexec utility. The pkexec application is a setuid tool designed to allow unprivileged users to run commands as privileged users according predefined policies. The current version of pkexec doesn't handle the calling parameters count correctly and ends trying to execute environment variables as commands. An attacker can leverage this by crafting environment variables in such a way it'll induce pkexec to execute arbitrary code. When successfully executed the attack can cause a local privilege escalation given unprivileged users administrative rights on the target machine.
Description
A Golang implementation of clubby789's implementation of CVE-2021-4034
Readme
# CVE-2021-4034
> January 25, 2022 | An00bRektn

This is a golang implementation of CVE-2021-4034 based on (*read as:* blatantly stolen from) [clubby789's](https://github.com/clubby789/CVE-2021-4034) implementation of the vulnerability discovered by [Qualys](https://blog.qualys.com/vulnerabilities-threat-research/2022/01/25/pwnkit-local-privilege-escalation-vulnerability-discovered-in-polkits-pkexec-cve-2021-4034).

I made a blog post going into further detail about the vulnerability, mainly for myself, but for anyone who wants a more drawn out explanation, which you can find [here](https://an00brektn.github.io/pwnkit/).

## Mitigation
Canonical has already released a patched version in the APT package manager, so all Ubuntu distros that are not EOL that are up-to-date (`sudo apt update && sudo apt upgrade`), should be good. If your distro does not have a patch yet, the current "band-aid" solution is to remove the SUID bit like so: `sudo chmod 0755 $(which pkexec)`.

## FAQ

#### How are you doing?
Good, thanks for asking 😊

#### Did you discover this vulnerability?
No. This was from Qualys. Did you not read the first part?

#### Why clubby789?
Saw them create a new repository in my GitHub feed and decided I'd try to recreate it in another language (yes I have nothing better to do).

#### Why Golang? Shouldn't you just use C?
I just wanted to get some more Golang practice in. Also, currently not smart enough to figure out the exact details of the vuln without looking at a PoC. I get it now, but I needed to copy the code to understand the code. Also, golang compiles statically, which is neat :)

#### Who asked?
idk

## Advisory
This code should be used for authorized penetration testing and/or educational purposes only. Any misuse of the program will not be the responsibility of the author. Only run this exploit against machines that you have express permission to run it against.
File Snapshot

 [4.0K]  /data/pocs/09775b5459bfb217568d9883827fd14c1ebae96d
├── [1.0K]  LICENSE
├── [3.3K]  poc.go
└── [1.9K]  README.md

0 directories, 3 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →