Pwnkit CVE 2021 4034 -- TryHackMe Walkthrough

Описание: Introduction:-
CVE-2021-4034 (colloquially dubbed "Pwnkit") is a terrifying Local Privilege Escalation (LPE) vulnerability, located in the "Polkit" package installed by default on almost every major distribution of the Linux operating system (as well as many other *nix operating systems). In other words, it affects virtually every mainstream Linux system on the planet.

Chapters

0:00 - Introduction to CVE-2021-4034
1:44 - PwnKit Exploit - A Devestating Vulnerability
2:51 - Important Questions
3:26 - Practical Exploitation of PwnKit
7:45 - Remediations against PwnKit Exploit

Background:-
The ease of exploitation and ubiquitous nature of Polkit make this an absolutely devastating vulnerability; however, fortunately it is not exploitable remotely, making Pwnkit purely a local privilege escalation (LPE) vulnerability.

What is Polkit?
Before we look at the vulnerability directly, it helps to understand what Polkit actually is.

Polkit is part of the Linux authorisation system. In effect, when you try to perform an action which requires a higher level of privileges, Polkit can be used to determine whether you have the requisite permissions. It is integrated with systemd and is much more configurable than the traditional sudo system. Indeed, it is sometimes referred to as the "sudo of systemd", providing a granular system with which to assign permissions to users.

The Vulnerability:-

As mentioned previously, the Pwnkit vulnerability exists in the pkexec utility — the primary front-end to the Polkit system. We won't go into too much detail here in the interests of readability; however, you are encouraged to read through the Qualys Security Advisory for a full technical explanation of the vulnerability.

The short version is this: versions of pkexec released prior to the patch don't handle command-line arguments safely, which leads to an "out-of-bounds write" vulnerability, allowing an attacker to manipulate the environment with which pkexec is run. This is all you really need to know, but for a slightly more technical explanation, read on!

More specifically, pkexec attempts to parse any command-line arguments that we pass it using a for-loop, starting at an index of 1 to offset the name of the program and obtain the first real argument (e.g. if we entered pkexec bash, then as pkexec is the name of the program, it would be argument 0 — the actual command-line arguments start at index 1). The name of the program is irrelevant to argument parsing, so the indexing is simply offset to ignore it.

What happens, then, if we don't provide any arguments? The index is set permanently to 1!

Exploitation:-
Once connected, we need to navigate to the pre-added pwnkit/ subdirectory, then compile the exploit using the following command:

gcc cve-2021-4034-poc.c -o exploit

We can then run the exploit with ./exploit to obtain instant root access over the target!

Remediation:-
1. sudo apt update && sudo apt upgrade
2. sudo chmod 0755 `which pkexec`

Conclusion:-
Nearly all of tryhackme machines are vulnerable to pwnkit exploit as well as most of linux machines out there. There working knowledge of exploitation and remediation is necessary for system/ network administrations.