Yesterday, a new serious issue in Polkit in Linux was published. It turns out that even with very simple means, you can elevate your user rights in Linux from normal user to root (aka the old grumpy superuser above them all).
I decided to make a PoC (Proof of Concept) exploit implementation for this as the author of the published description did not share theirs.
So the main issue is. that if you run /usr/bin/pkexec with a argv being null, then you bypass some checks in the code, that eventually leads to it using environment variables as input. Seems simple enough (and it is! – just read the linked text above).
Anyway, I decided to make the PoC in Python as I do not use that enough in my work.
Unfortunately, python3+ has already implemented a fix such that it can’t call os.execve() with null (or in the case of python “[]”) as argv. I decided that I could just do a very small snippet of C-code to do the call and thereby get around it. The code can just be dumped from my PoC to a file and then compiled with gcc as part of the run.
I needed to do some C-code anyways, as part of the hack is to use Gconv to execute the actual offensive code. This is done by tricking it to think that the gconv-module file is in a local file and it is then rigged with info that say that it should run our code if we use a CHARSET (env variable) set to something special (in my case PKWNER – as in PK pwn’er).
Putting it all together, and I got a nice, well functioning python3 script. I even added cleanup, such that it removes all the temporary files + removes all related lines from /var/log/auth.log.
It was even made such that it can be fetched directly from a web server and executed in one command.
It looks like this (pulling it directly from my Github repo where the code is available):
Someone asked if the same could be done in bash, and YES it can! I made a similar script but in bash and it works just as well:
I am quite happy with the result. You can find, fork and share my code from here: https://github.com/kimusan/pkwner
Enjoy.