6.9
CVSSv2

CVE-2011-1485

Published: 31/05/2011 Updated: 19/12/2012
CVSS v2 Base Score: 6.9 | Impact Score: 10 | Exploitability Score: 3.4
VMScore: 746
Vector: AV:L/AC:M/Au:N/C:C/I:C/A:C

Vulnerability Summary

Race condition in the pkexec utility and polkitd daemon in PolicyKit (aka polkit) 0.96 allows local users to gain privileges by executing a setuid program from pkexec, related to the use of the effective user ID instead of the real user ID.

Affected Products

Vendor Product Versions
RedhatPolicykit0.96

Vendor Advisories

Debian Bug report logs - #644500 policykit-1 local root exploit CVE-2011-1485 Package: policykit-1; Maintainer for policykit-1 is Utopia Maintenance Team <pkg-utopia-maintainers@listsaliothdebianorg>; Source for policykit-1 is src:policykit-1 (PTS, buildd, popcon) Reported by: "Thijs Kinkhorst" <thijs@debianorg> ...
Local users could gain root access by using the pkexec tool in PolicyKit ...
Neel Mehta discovered that a race condition in Policykit, a framework for managing administrative policies and privileges, allowed local users to elevate privileges by executing a setuid program from pkexec The oldstable distribution (lenny) does not contain the policykit-1 package For the stable distribution (squeeze), this problem has been fixe ...

Exploits

/* * Exploit Title: pkexec Race condition (CVE-2011-1485) exploit * Author: xi4oyu * Tested on: rhel 6 * CVE : 2011-1485 * Linux pkexec exploit by xi4oyu , thx dm@0x557org * Have fun~ ¡Á U can reach us @ wwwwooyunorg :) */ #include <stdioh> #include <limitsh> #include <timeh> #include <unistdh> #include &lt ...
## # This module requires Metasploit: http//metasploitcom/download # Current source: githubcom/rapid7/metasploit-framework ## class Metasploit4 < Msf::Exploit::Local Rank = GreatRanking include Msf::Exploit::EXE include Msf::Post::File include Msf::Exploit::Local::Linux def initialize(info = {}) super(update_info(info ...
/* polkit-pwnagec * * * ============================== * = PolicyKit Pwnage = * = by zx2c4 = * = Sept 2, 2011 = * ============================== * * * Howdy folks, * * This exploits CVE-2011-1485, a race condition in PolicyKit * * davidz25 explains: * * --begin-- * Briefly, the problem ...

Mailing Lists

A race condition flaw was found in the PolicyKit pkexec utility and polkitd daemon A local user could use this flaw to appear as a privileged user to pkexec, allowing them to execute arbitrary commands as root by running those commands with pkexec Those vulnerable include RHEL6 prior to polkit-096-2el6_01 and Ubuntu libpolkit-backend-1 prior t ...
Linux pkexec and polkitd 096 race condition privilege escalation exploit ...
pkexec race condition privilege escalation exploit ...
PolicyKit versions 0101 and below local privilege escalation exploit ...

Metasploit Modules

Linux PolicyKit Race Condition Privilege Escalation

A race condition flaw was found in the PolicyKit pkexec utility and polkitd daemon. A local user could use this flaw to appear as a privileged user to pkexec, allowing them to execute arbitrary commands as root by running those commands with pkexec. Those vulnerable include RHEL6 prior to polkit-0.96-2.el6_0.1 and Ubuntu libpolkit-backend-1 prior to 0.96-2ubuntu1.1 (10.10) 0.96-2ubuntu0.1 (10.04 LTS) and 0.94-1ubuntu1.1 (9.10)

msf > use exploit/linux/local/pkexec
      msf exploit(pkexec) > show targets
            ...targets...
      msf exploit(pkexec) > set TARGET <target-id>
      msf exploit(pkexec) > show options
            ...show and set options...
      msf exploit(pkexec) > exploit

Github Repositories

CVE-2011-1485 CVE-2011-1485 - Published: 2011-04-01 - PolicyKit: