Pwnkit CVE-2021-4034

LPE in Polkit package

This blog post is a walkthrough of the room ‘Pwnkit:CVE-2021-4304’ on TryHackMe.

Extra Reading and logic => https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt

What is polkit?

Polkit is part of the Linux authorisation system. Polkit can be used to determine whether you have the requisite permissions. It is integrated with systemd and is much more configurable than the traditional sudo system. Basically allows you to run commands as other users (overview).

Vulnerability

Unpatched versions of the pkexec utility dont handle command line arguments properly, which can lead to “out of bounds write” condition, allowing attacker to manipulate the environment in which pkexec was started.

So if we run pkexec with no arguments the internal for loop of pkexec which starts from 1(as you normally would because 0 would be the pkexec) is skipped completly, which is okay but later pkexec tries to write values to n but it was never used so it uses the next available memory slot which is actually used by execve() execute environment!!

In other words, by passing pkexec a null list of arguments, we can force it to overwrite an environment variable instead!

More notes for the future…

Github - https://github.com/arthepsy/CVE-2021-4034/blob/main/cve-2021-4034-poc.c

Working

Creates new env variables which are

GCONV_PATH=./pwnkit
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
SHELL=pwnkit
PWD=/home/cabba/Desktop/THM/PwnKit/CVE-2021-4034
CHARSET=PWNKIT

These are set on the line


char *env[] = { "pwnkit", "PATH=GCONV_PATH=.", "CHARSET=PWNKIT", "SHELL=pwnkit", NULL }

Share: X (Twitter) Facebook LinkedIn