killchain-compendium/Exploits/Linux/pkexec.md

# CVE-2021-4032

* [Qualys put it in the open](https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt)
* [arthepsy's exploit](https://github.com/arthepsy/CVE-2021-4034)

* Arg counting starts at 1 inside pkexec logic
* `execve( "/usr/binpkexec", (char **){NULL}, env)` puts NULL into argc[1]
* The value behind NULL can be overwritten, which is the first env param
restructured Exploits 2022-11-13 22:38:01 +01:00			`# CVE-2021-4032`

			`* [Qualys put it in the open](https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt)`
			`* [arthepsy's exploit](https://github.com/arthepsy/CVE-2021-4034)`

			`* Arg counting starts at 1 inside pkexec logic`
			* `execve( "/usr/binpkexec", (char **){NULL}, env)` puts NULL into argc[1]
			`* The value behind NULL can be overwritten, which is the first env param`