Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2021-4034 PoC — polkit 缓冲区错误漏洞

Source
https://github.com/evdenis/lsm_bpf_check_argc0
Associated Vulnerability
Title:polkit 缓冲区错误漏洞 (CVE-2021-4034)
Description:A local privilege escalation vulnerability was found on polkit's pkexec utility. The pkexec application is a setuid tool designed to allow unprivileged users to run commands as privileged users according predefined policies. The current version of pkexec doesn't handle the calling parameters count correctly and ends trying to execute environment variables as commands. An attacker can leverage this by crafting environment variables in such a way it'll induce pkexec to execute arbitrary code. When successfully executed the attack can cause a local privilege escalation given unprivileged users administrative rights on the target machine.
Description
LSM BPF module to block pwnkit (CVE-2021-4034) like exploits
Readme
![BUILD](https://github.com/evdenis/lsm_bpf_check_argc0/actions/workflows/build.yml/badge.svg)

# Check ARGC0 LSM BPF

Simple LSM BPF program to prevent program executions with argc == 0, e.g. pwnkit (CVE-2021-4034).
It does nothing more than a simple check that all exec\*() system calls are called with argc >= 1.
The check is based on Ariadne Conill's [patch](https://lore.kernel.org/all/20220127000724.15106-1-ariadne@dereferenced.org/).

<p align="center">
  <a href="https://youtu.be/rRBaurE7rUM">
    <img src="https://img.youtube.com/vi/rRBaurE7rUM/0.jpg" alt="LSM BPF demonstration"/>
  </a>
</p>

## How to build

```
# On Ubuntu
$ sudo apt-get install libc6-dev-i386 libbpf0 libbpf-dev

# On Fedora 35
$ sudo dnf install clang bpftool libbpf-devel glibc-devel.i686 glibc-devel.x86_64

$ make
```

## How to install

Run:
```
$ sudo make DESTDIR=/usr install
# will execute following commands
# sudo cp src/load_check_argc0_lsm /usr/sbin
# sudo cp share/check_argc0_lsm.service /etc/systemd/system/

# After that you can enable the service with
$ sudo systemctl daemon-reload
$ sudo systemctl enable check_argc0_lsm.service
$ sudo systemctl start check_argc0_lsm.service
```

Test:
```
$ strace ./test/trigger
...
execve("/usr/bin/pkexec", NULL, NULL)   = -1 EINVAL (Invalid argument)

$ sudo journalctl -u check_argc0_lsm.service
Feb 10 13:27:08 purple systemd[1]: Started LSM BPF protection for argc == 0 execs.
Feb 10 13:27:13 purple load_check_argc0_lsm[89177]: TIME     PID     PROCESS          CALLING
Feb 10 13:27:13 purple load_check_argc0_lsm[89177]: 13:27:13 89194   trigger          /usr/bin/pkexec
```

## How to test

Linux kernel >= 5.8 required for BPF LSM (5.7) and BPF rignbuf (5.8).

```
# The program will start, attach an LSM BPF, and monitor the log
$ sudo ./src/load_check_argc0_lsm
TIME     PID     PROCESS          CALLING
12:59:21 85689   trigger          /usr/bin/pkexec
```

One can use the trigger program to test that everything works:
```
$ strace ./test/trigger
...
execve("/usr/bin/pkexec", NULL, NULL)   = -1 EINVAL (Invalid argument)
```
File Snapshot

 [4.0K]  /data/pocs/f6c19646fa3dd5484188584c1f2320a020d549fd
├── [4.0K]  doc
│   └── [104K]  ru_LSM_BPF_pwnkit.pdf
├── [ 222]  Makefile
├── [2.0K]  README.md
├── [4.0K]  share
│   ├── [ 182]  check_argc0_lsm.service.tmpl
│   └── [ 211]  Makefile
├── [4.0K]  src
│   ├── [ 862]  check_argc0_lsm.c
│   ├── [ 218]  common.h
│   ├── [3.1K]  load_check_argc0_lsm.c
│   └── [ 540]  Makefile
└── [4.0K]  test
    ├── [ 149]  Makefile
    ├── [ 451]  test.c
    └── [ 210]  trigger.c

4 directories, 12 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →