Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2021-3560 PoC — polkit 代码问题漏洞

Source
https://github.com/iSTAR-Lab/CVE-2021-3560_PoC
Associated Vulnerability
Title:polkit 代码问题漏洞 (CVE-2021-3560)
Description:It was found that polkit could be tricked into bypassing the credential checks for D-Bus requests, elevating the privileges of the requestor to the root user. This flaw could be used by an unprivileged local attacker to, for example, create a new local administrator. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
Description
polkit exploit script v1.0
Readme
# CVE-2021-3560_PoC
polkit exploit script

Automated script for escalating to root using polkit service

# Requirements
- SSH server (this is to avoid having authentication popups through GNOME)
- Vulnerable Linux distribution:
<table>
  <tbody>
    <tr>
      <th>Distribution</th>
      <th>Vulnerable?</th>
    </tr>
    <tr>
      <td>RHEL 7</td>
      <td>No</td>
    </tr>
    <tr>
      <td>RHEL 8</td>
      <td>
        <a
          href="https://access.redhat.com/security/cve/CVE-2021-3560"
          rel="noopener"
          target="_blank"
          >Yes</a
        >
      </td>
    </tr>
    <tr>
      <td>Fedora 20 (or earlier)</td>
      <td>No</td>
    </tr>
    <tr>
      <td>Fedora 21 (or later)</td>
      <td>
        <a
          href="https://bugzilla.redhat.com/show_bug.cgi?id=1967424"
          rel="noopener"
          target="_blank"
          >Yes</a
        >
      </td>
    </tr>
    <tr>
      <td>Debian 10 (“buster”)</td>
      <td>No</td>
    </tr>
    <tr>
      <td>Debian testing (“bullseye”)</td>
      <td>
        <a
          href="https://security-tracker.debian.org/tracker/CVE-2021-3560"
          rel="noopener"
          target="_blank"
          >Yes</a
        >
      </td>
    </tr>
    <tr>
      <td>Ubuntu 18.04</td>
      <td>No</td>
    </tr>
    <tr>
      <td>Ubuntu 20.04</td>
      <td>
        <a
          href="https://ubuntu.com/security/CVE-2021-3560"
          rel="noopener"
          target="_blank"
          >Yes</a
        >
      </td>
    </tr>
  </tbody>
</table>

# Usage Guide
```bash
ssh localhost
git clone https://github.com/tyleraharrison/CVE-2021-3560_PoC.git
cd CVE-2021-3560_PoC
./polkitRoot.sh
```

# Known Issues
- Solution to needing to brute-force is poorly written recursion
- Line-endings may need to be changed with `dos2unix polkitRoot.sh` because GitHub changed them to CRLF and Bash does not like that

Tested in Ubuntu 20.04

Reference: https://github.blog/2021-06-10-privilege-escalation-polkit-root-on-linux-with-bug/
File Snapshot

 [4.0K]  /data/pocs/9c5d3891d40dcc5f78d47ec7d125d1d4bfdc7dd7
├── [2.9K]  polkitRoot.sh
└── [2.0K]  README.md

0 directories, 2 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →