12 lines
372 B
Markdown
12 lines
372 B
Markdown
# CVE-2021-4032
|
|
|
|
* [Qualys put it in the open](https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt)
|
|
* [arthepsy's exploit](https://github.com/arthepsy/CVE-2021-4034)
|
|
|
|
* Arg counting starts at 1 inside pkexec logic
|
|
* `execve( "/usr/binpkexec", (char **){NULL}, env)` puts NULL into argc[1]
|
|
* The value behind NULL can be overwritten, which is the first env param
|
|
|
|
|
|
|