Linux local privilege escalation using authentication bypass vulnerability in polkit CVE-2021-3560

Рет қаралды 33,300

3 жыл бұрын

Kevin Backhouse walks through a vulnerability in polkit, a widely used system service, here in Ubuntu 20.04, but also used in other distributions such as Fedora and RHEL 8. Using a combination of dbus-send, sleep, and kill, Kevin gets a root shell.
For an in-depth discussion of this vulnerability:
github.blog/2021-06-10-privil...

Пікірлер: 29

@AnkitGaur9 3 жыл бұрын

good find, well demonstrated !!

@removeheaven1550 3 жыл бұрын

l am invincible! Boris™

@Basieeee 3 жыл бұрын

Very well explained thanks man

@rovrest1838 3 жыл бұрын

It comes at the right time

@s1lv3rh4wk 3 жыл бұрын

Nice work.

@conceptrat 3 жыл бұрын

Nice work 007 errrr Kevin 😛

@uksuperrascal 2 жыл бұрын

Hi just got my first polkit when trying to use balena etcher writing an OS to and SD - I am using Ubuntu Studio 18.04.6 LTS - any help would be great.

@maxberlyan6782 2 жыл бұрын

very nice!!!

@thomasstaats3146 2 жыл бұрын

does anyone know if this patched? Im using a vps with ubuntu 20.04 kernel 5.4 and wrote a script to run it over and over with varying wait times before killing

@ayylmao1558 2 жыл бұрын

Thank you Mr Github, ery noice

@hex2344 2 жыл бұрын

Hi. What is that string "GoldenEye" there?

@ko-Daegu 2 жыл бұрын

in a clean debain installation why do I get: The name org.freedesktop.Accounts was not provided by any .service files

@priyanshukumarpu 3 жыл бұрын

Neat

@randomguy3784 2 жыл бұрын

This also works with Centos 8 with polkit version 0.115

@DanSalazarish 3 жыл бұрын

Magic

@ZainAli-uq3fj 2 жыл бұрын

is it patcher as of Nov 2021

@bossscast 3 жыл бұрын

great demonstration. How do I fix it?

@huebs 3 жыл бұрын

Oops

@Tudumanu 3 жыл бұрын

wow

@Canadian789119 3 жыл бұрын

Hey question. I can't get it to work. If I don't have sudo. Or any gui password auth. can I expect it to work? I also don't have any .service files so the github exploit doesn't work either. BAH! I'M INVINCIBLE! The amount of times people downvote me on something like reddit for calling sudo bloat ware.. :)

@JohnHollowell 3 жыл бұрын

So GitHub can post videos of fully functioning exploitable code, but anyone else can't put similar code on GitHub's platform? I think you need to follow your own rules

@CristianTraina 3 жыл бұрын

I think that's because you can ask a victim to download the code from github and run it. While having the code in a video is way safer

@chiragartani 3 жыл бұрын

Hi, Thank you very much! It is possible to auth bypass in any linux machine, because I know a web server which is not allowing me to run any remote code example: git clone, sudo apt install xyz ? Now when I trying to change password it throwing me at denied line, I can't even change user or create user in that machine. Let me try your POC in that machine. Will update here. Update: Not working tried 17 times, Machine version is vulnerable for exploit, When ever I try to run it says enter password.

@ColinRubbert 3 жыл бұрын

In the supporting documentation it indicates that it require gnome-control-center and accountservice which implies if it's a GUI w/gnome it's very likely exploitable, anything w/o a GUI or non-gnome environment is very unlikely to be exploitable. Most web servers and servers in general online don't have GUI's natively installed. That being said if you could potentially install these two dependencies w/o root privs you could maybe exploit it.

@chiragartani 3 жыл бұрын

@@ColinRubbert Thank you 🙏 , I got it.