whx
/
killchain-compendium
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
killchain-compendium/Exploits/Linux/pkexec.md

372 B
Raw Blame History

CVE-2021-4032

  • Qualys put it in the open

  • arthepsy's exploit

  • Arg counting starts at 1 inside pkexec logic

  • execve( "/usr/binpkexec", (char **){NULL}, env) puts NULL into argc[1]

  • The value behind NULL can be overwritten, which is the first env param