Skip to content

CYB3RK1D/CVE-2021-4034-POC

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

15 Commits
 
 
 
 
 
 

Repository files navigation

CREDITS

VULNERABILITY AUTHOR: https://blog.qualys.com/vulnerabilities-threat-research/2022/01/25/pwnkit-local-privilege-escalation-vulnerability-discovered-in-polkits-pkexec-cve-2021-4034

Reference

https://github.com/arthepsy/CVE-2021-4034/blob/main/cve-2021-4034-poc.c

https://linux.die.net/man/1/pkexec

man_page/pkexec:

   Note that pkexec does no validation of the ARGUMENTS passed to PROGRAM.
   In the normal case (where administrator authentication is required
   every time pkexec is used), this is not a problem since if the user is
   an administrator he might as well just run pkexec bash to get root.

   However, if an action is used for which the user can retain
   authorization (or if the user is implicitly authorized), such as with
   pk-example-frobnicate above, this could be a security hole. Therefore,
   as a rule of thumb, programs for which the default required
   authorization is changed, should never implicitly trust user input
   (e.g. like any other well-written suid program).      

by the author David Zeuthen [email protected] written in may 2009.

GCONV resources

https://www.gnu.org/software/libc/manual/html_node/glibc-iconv-Implementation.html#:~:text=for%20all%20conversions.-,gconv,use%20of%20the%20conversion%20functions. https://hugeh0ge.github.io/2019/11/04/Getting-Arbitrary-Code-Execution-from-fopen-s-2nd-Argument/

PwnFunction

EXPLANATION VIDEO: https://youtu.be/eTcVLqKpZJc

TO DO

Port the exploit to rust

need to write an explanation for exploit

About

pwnkit

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published