Polkit
PolicyKit (polkit) is an authorization service on Linux-based operating systems that allows user software and system components to communicate with each other if the user software is authorized to do so. To check whether the user software is authorized for this instruction, polkit is asked.
Polkit works with two groups of files.
- actions/policies (
/usr/share/polkit-1/actions) - rules (
/usr/share/polkit-1/rules.d)
Polkit also has local authority rules which can be used to set or remove additional permissions for users and groups. Custom rules can be placed in the directory /etc/polkit-1/localauthority/50-local.d with the file extension .pkla.
PolKit also comes with three additional programs:
pkexec- runs a program with the rights of another user or with root rightspkaction- can be used to display actionspkcheck- this can be used to check if a process is authorized for a specific action
The most interesting tool for us, in this case, is pkexec because it performs the same task as sudo and can run a program with the rights of another user or root.
CVE-2021-4034: Pwnkit
To exploit this vulnerability, we need to download a PoC (https://github.com/arthepsy/CVE-2021-4034) and compile it on the target system itself or a copy we have made.
Move the poc file to the target machine and execute it to escalate privileges.
Sometimes you may run into the following error:
That means your compiled CVE-2021-4034 (Polkit pkexec) PoC binary was built on a system with GLIBC 2.34, but your target system has an older GLIBC version (probably 2.31 or lower, common on Ubuntu 20.04).
You can run from your kali a docker image to compile again the poc.
After that, from your kali, copy the generated poc:
Then transfer it to your victim: