Introduction
In this TryHackMe room walkthrough post, I am going to be reviewing the "Pwnkit (CVE-2021-4034)" room. I will be covering CVE-2021-4034, a vulnerability found in polkit’s pkexec program that was originally discovered by the Qualys Research Team. I will discuss what pkexec is. I will also go over what pkexec is used for. Additionally, I will review the vulnerability associated with CVE-2021-4034. Finally, I'll document how an attacker can exploit pkexec to escalate privileges. If you're interested in cybersecurity, please regularly check back on Cyb3r-S3c and check out my YouTube channel, Cyb3r_0verWatch for more informative content.
Overview
The polkit vulnerability was originally discovered in November 2021 by Qualys Security researchers. It was not until January 25 2022 that the Qualys Research Team publicly released an advisory on the memory corruption vulnerability that they had discovered in polkit's pkexec program. Pkexec is a widely used SUID-root program found in default installations of major Linux distributions, including RHEL/CentOS, Ubuntu, and Debian as an example. This vulnerability, if successfully exploited, granted local users with limited privileges the ability to elevate their access to full root privileges. This security flaw at the time posed a significant threat due to its ease of exploitation, particularly in the program's default configuration.
Polkit Pkexec: Brief Overview
Polkit, previously known as PolicyKit, serves as a crucial component for managing system-wide privileges in Unix-based operating systems. The polkit package plays a critical role in establishing policies and facilitating communication between unprivileged processes and privileged processes in Linux systems. One of the essential tools provided by polkit is "pkexec," which enables users to execute commands on behalf of other users based on the defined polkit policies, utilizing the setuid feature.
What Is Pwnkit?
This vulnerability is what is called a local privilege escalation vulnerability or LPE, when successfully exploited, this vulnerability enables any unprivileged local user to acquire root privileges on the compromised host. Through their research the Qualys Security Research team was able to craft an exploit targeting the vulnerability. Qualys security researchers examined the vulnerability and were able to be substantiate that the vulnerability when exploited would provide complete root access on tested default installations of Ubuntu, Debian, Fedora, and CentOS. Due to their research, they advised that it was highly probable that other Linux distributions were similarly susceptible and could be exploited by this vulnerability. Although it should not be a surprise, this vulnerability had remained undetected for over 12 years prior to Qualys’s security research teams’ discovery, affecting all iterations of pkexec since it was initially released in May 2009.
Walkthrough:
1. After updating kali I verified I was connected to the THM network by going to the TryHackMe Access page showing that I am connected.
===================================================================
2. Reviewing Task 1, it provides a brief overview of the vulnerability and room. I just need to deploy the vulnerable host.
===================================================================
3. In task 2, THM provides a great overview of Qualys's research and polkit.
There is a great overview of the vulnerability as well.
===================================================================
4. In task 3, I downloaded the exploit code that is written c language from a github repository mentioned in this task.
I used wget as shown in the image above to download the exploit code from the github repository. The exploit code was Downloaded to the downloads folder.
Once downloaded, I needed to compile the code before this exploit could be usable.
===================================================================
5. In order to compile the code I ran "gcc <exploit code> -o <file name>". The -o allows me to save the compiled code under any name I decide. In this case I just chose "exploit" for this walkthrough.
With the exploit code compiled it is ready to use.
===================================================================
6. I connected via SSH to the vulnerable host using the following command shown in the screenshot above.
I authenticated with the credentials “tryhackme” “TryHackMe123!” provided in Task 3.
===================================================================
7. In order to exploit the vulnerable host I will need to upload the exploit. I already compiled my exploit, to make things easier I started my http server from the directory I have the exploit stored in using the command shown in the image above.
===================================================================
8. Since I authenticated to the vulnerable host I used wget as shown in the image above to download the compiled exploit. After running wget you can see that the file was downloaded successfully.
On kali you can see the http server picked up the request.
===================================================================
9. I can see that the exploit is in the /tmp folder of the vulnerable host.
When I execute the exploit using “./exploit” I get the "#" symbol indicating I now am root. Running the "whoami" command just verifies that I am now root.
===================================================================
10. Now that I am root, I navigated to /root directory to read the flag.txt file in order to get the THM root flag for the room.
===================================================================
11. Now that I completed exploiting the vulnerable host it allowed me to complete the tasks. In task 3, THM asks you to read through the Qualys advisory and pwnkit proof of concept to understand how it works.
A generalized explanation is that the exploit takes advantage of a vulnerability in polkit's pkexec program, which is a SUID-root program. The vulnerability exists in the main() function of pkexec. When processing command-line arguments, if the number of arguments (argc) is 0 (empty argument list), a null pointer is accessed (argv[0] is NULL). As a result of accessing the null pointer, the program incorrectly reads and writes out-of-bounds memory, specifically argv[1] (which is actually envp[0], the first environment variable). The out-of-bounds write allows an attacker to reintroduce an "unsecure" environment variable (e.g., LD_PRELOAD) into pkexec's environment. These variables are normally removed from the environment of SUID programs for security reasons. The attacker can manipulate the environment variable CHARSET and set the environment variable GCONV_PATH. CHARSET is not security-sensitive, and GCONV_PATH is an "unsecure" variable that leads to the execution of arbitrary libraries. The vulnerability enables the attacker to execute their own shared library as the root user through the exploitation of iconv_open(), a function called by g_printerr() in the GLib library used by pkexec. By specifying a custom library path, the attacker gains arbitrary code execution as root.
===================================================================
In task 4 you just need to run apt update and apt upgrade as shown in the task to remediate the vulnerability by patching it. For distributions that do not have patches available you would just remove the suid bit by using the following command "sudo chmod 0755 `which pkexec`".
===================================================================
Task 5 provides brief outro and the room is complete.
CONCLUSION
As could be seen from the walkthrough, I was able to exploit a vulnerability that gave me root privileges fairly easy. In conclusion, in this post, I provided a walkthrough of the TryHackMe Pwnkit (CVE-2021-4034) room, focusing on the vulnerability discovered in polkit's pkexec program. I discussed the functionality of polkit and its pkexec tool, highlighting their role in managing system-wide privileges in Unix-based operating systems. Due to its extensive coverage of affected major Linux distributions such as RHEL/CentOS, Ubuntu, and Debian at the time it became a widespread concern due to the ease of exploitation, particularly in the program's default configuration.
Considering the wide-ranging attack surface encompassing unix-based operating systems, it is crucial that users follow security best practices to include applying patching to address these types of vulnerabilities as soon as patches are made available.
Thank you for reading this walkthrough of the Pwnkit TryHackMe room. If you find this content informative and you are interested in cybersecurity, please regularly check back on the Cyb3r-S3c website. For more free content, please like and subscribe to the Cyb3r-0verwatch channel. Until next time keep learning, the only way to improve is to keep learning.
/Signing Off
Pragmat1c On3
Comments