Skip to content

mebeim/CVE-2021-4034

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
LICENSE
LICENSE
 
 
README.md
README.md
 
 
expl.sh
expl.sh
 
 
fake_module.c
fake_module.c
 
 
helper.c
helper.c
 
 
terminal.gif
terminal.gif
 
 

Repository files navigation

CVE-2021-4034 Proof of Concept

Qualys researches found a pretty cool local privilege escalation vulnerability in Polkit's pkexec: writeup, tweet. This vuln has been around and exploitable on major Linux distros for quite a long time. Security patches have been published, so I decided to write a very simple PoC to show how trivial it is to exploit this. The code in this repo should be really self-explanatory after reading the linked write-up. Also thanks to @Drago1729 for the idea and the help.

How to:

  1. Get a vulnerable version of pkexec e.g. from policykit-1 <= 0.105-31 in the Debian repos or even built from source. You can have it locally installed or just copy the pkexec executable alone directly in this directory (make sure it's executable and setuid root).
  2. Ensure you have GCC installed in order to compile the two C helpers in this repo.
  3. Run ./expl.sh and enjoy.

NOTE: expl.sh will first look for pkexec in the current working directory, then fall-back to $PATH. Since pkexec is usually a setuid-root executable, maybe run this in a VM and not on your machine, y'know...

Demo:

result

Cheers, @mebeim :)

About

CVE-2021-4034: Local Privilege Escalation in polkit's pkexec proof of concept

Topics

proof-of-concept lpe polkit pkexec cve-2021-4034 pwnkit

Resources

Readme

License

Unlicense license
Activity

Stars

32 stars

Watchers

2 watching

Forks

6 forks
Report repository

Languages