killchain-compendium/Exploits/Linux/pkexec.md

12 lines
372 B
Markdown
Raw Normal View History

2022-11-13 22:38:01 +01:00
# CVE-2021-4032
* [Qualys put it in the open](https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt)
* [arthepsy's exploit](https://github.com/arthepsy/CVE-2021-4034)
* Arg counting starts at 1 inside pkexec logic
* `execve( "/usr/binpkexec", (char **){NULL}, env)` puts NULL into argc[1]
* The value behind NULL can be overwritten, which is the first env param