CVE-2021-4034 PoC — polkit 缓冲区错误漏洞

Source

https://github.com/sofire/polkit-0.96-CVE-2021-4034

Associated Vulnerability

Title:polkit 缓冲区错误漏洞 (CVE-2021-4034)
Description:A local privilege escalation vulnerability was found on polkit's pkexec utility. The pkexec application is a setuid tool designed to allow unprivileged users to run commands as privileged users according predefined policies. The current version of pkexec doesn't handle the calling parameters count correctly and ends trying to execute environment variables as commands. An attacker can leverage this by crafting environment variables in such a way it'll induce pkexec to execute arbitrary code. When successfully executed the attack can cause a local privilege escalation given unprivileged users administrative rights on the target machine.

Description

centos 6.10 rpm for fix polkit CVE-2021-4034;   centos 6.10的rpm包，修复CVE-2021-4034 漏洞

Readme

# polkit-0.96-CVE-2021-4034

centos 7.x 已经有了 修复CVE-2021-4034 漏洞的RPM包，但没找到 centos 6.x的
自己参考 [源代码](https://gitlab.freedesktop.org/polkit/polkit/-/commit/a2bf5c9c83b6ae46cbd5c779d3055bff81ded683) 制作、打包 rpm

redhat 已经修复 6.x，但没找到下载的地方
https://access.redhat.com/errata/RHSA-2022:0269


## 修复漏洞


```
下载 polkit-0.96-11.1.el6.x86_64.rpm

升级 
rpm -Uhv polkit-0.96-11.1.el6.x86_64.rpm

测试漏洞是否修复
sh check_polkit_cve_2021_4034.sh
```

## RPM打包流程

```
下载 polkit-0.96-11.el6.src.rpm	
  https://vault.centos.org/6.10/os/Source/SPackages/

安装 rpm -hiv polkit-0.96-11.el6.src.rpm
  ~/rpmbuild/SOURCES/
  ~/rpmbuild/SPECS/

执行原有Patch 
 rpmbuild -bp ~/rpmbuild/SPECS/polkit.spec

cd ~/rpmbuild/BUILD
cp -R polkit-0.96 polkit-0.96-new
修改 polkit-0.96-new  目录下的 pkcheck.c 和 pkexec.c
  参考 https://gitlab.freedesktop.org/polkit/polkit/-/commit/a2bf5c9c83b6ae46cbd5c779d3055bff81ded683


生成patch
  diff -uNr polkit-0.96 polkit-0.96-new/ > polkit-0.96-CVE-2021-4034.patch
复制 patch
  cp polkit-0.96-CVE-2021-4034.patch ~/rpmbuild/SOURCES/
修改  ~/rpmbuild/SPECS/polkit.spec 
 
编译 rpmbuild -ba ~/rpmbuild/SPECS/polkit.spec 
  SRPMS/polkit-0.96-11.1.el6.src.rpm
    
  RPMS/x86_64/polkit-0.96-11.1.el6.x86_64.rpm
  RPMS/x86_64/polkit-debuginfo-0.96-11.1.el6.x86_64.rpm
  RPMS/x86_64/polkit-devel-0.96-11.1.el6.x86_64.rpm
  RPMS/x86_64/polkit-docs-0.96-11.1.el6.x86_64.rpm
  RPMS/noarch/polkit-desktop-policy-0.96-11.1.el6.noarch.rpm

安装 
  rpm -Uhv RPMS/x86_64/polkit-0.96-11.1.el6.x86_64.rpm
 
测试漏洞是否修复
  sh check_polkit_cve_2021_4034.sh
```
  
## 参考资料

[CVE-2021-4034:Linux Polkit 权限提升漏洞通告](
https://cert.360.cn/warning/detail?id=25d7a6ec96c91ca4e4238fd10da2c778)

[Script to detect Polkit Vulnerability in RedHat Linux systems | PwnKit](
https://www.ramanean.com/script-to-detect-polkit-vulnerability-in-redhat-linux-systems-pwnkit/)

https://github.com/arthepsy/CVE-2021-4034

https://gitlab.freedesktop.org/polkit/polkit/-/commit/a2bf5c9c83b6ae46cbd5c779d3055bff81ded683

File Snapshot


 [4.0K]  /data/pocs/f4f0975235214dc018133278e0afb9bb8b650e9e
├── [7.4K]  check_polkit_cve_2021_4034.sh
├── [1.2K]  polkit-0.96-CVE-2021-4034.patch
├── [ 12K]  polkit.spec
├── [2.1K]  README.md
├── [4.0K]  rpm-el7
│   └── [1.4M]  polkit-0.112-26.el7.src.rpm
├── [4.0K]  rpm-new
│   ├── [1.0M]  polkit-0.96-11.1.el6.src.rpm
│   ├── [161K]  polkit-0.96-11.1.el6.x86_64.rpm
│   ├── [465K]  polkit-debuginfo-0.96-11.1.el6.x86_64.rpm
│   ├── [7.0K]  polkit-desktop-policy-0.96-11.1.el6.noarch.rpm
│   ├── [ 28K]  polkit-devel-0.96-11.1.el6.x86_64.rpm
│   └── [271K]  polkit-docs-0.96-11.1.el6.x86_64.rpm
└── [4.0K]  rpm-old
    ├── [1.0M]  polkit-0.96-11.el6.src.rpm
    └── [162K]  polkit-0.96-11.el6.x86_64.rpm

3 directories, 13 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.

View subscription plans →

Goal Reached Thanks to every supporter — we hit 100%!