search

berdav / CVE-2021-4034

CVE-2021-4034 1day
MIT License
1.94k stars 508 forks source link

need a bit more info #3

Closed hetzbh closed 2 years ago

hetzbh commented 2 years ago

Nice code, but IMHO you should show maybe a screenshot what happens if the hole is still there and what's happening when the hole is patched.

berdav commented 2 years ago

Thank you!

I've added an example to the Readme with the shell and the output when patched.

hetzbh commented 2 years ago

Yeah, I just checked it on Fedora 34 (Raspberry Pi) and Rocky Linux 8.5. Both don't have polkit updated packages installed.. In both cases there is a message on journal, but no root..

]$ ./cve-2021-4034
GLib: Cannot convert message: Could not open converter from “UTF-8” to “PWNKIT”
The value for the SHELL variable was not found the /etc/shells file

This incident has been reported.
[hetz@containers CVE-2021-4034]$ rpm -qi polkit
Name        : polkit
Version     : 0.117
Release     : 3.fc34.1
Architecture: aarch64
Install Date: Mon 14 Jun 2021 06:41:47 PM IDT
Group       : Unspecified
Size        : 662769
License     : LGPLv2+
Signature   : RSA/SHA256, Thu 03 Jun 2021 03:44:20 PM IDT, Key ID 1161ae6945719a39
Source RPM  : polkit-0.117-3.fc34.1.src.rpm
Build Date  : Thu 03 Jun 2021 03:28:08 PM IDT
Build Host  : buildvm-a64-32.iad2.fedoraproject.org
Packager    : Fedora Project
Vendor      : Fedora Project
URL         : http://www.freedesktop.org/wiki/Software/polkit
Bug URL     : https://bugz.fedoraproject.org/polkit
Summary     : An authorization framework
Description :
polkit is a toolkit for defining and handling authorizations.  It is
used for allowing unprivileged processes to speak to privileged
processes.
chron0 commented 2 years ago

Same on gentoo...

kenshin33 commented 2 years ago

Sorry for the necromancing : I had almost the same code, worked fine on debian but not on gentoo. traced tot the fact that getenv("GCONV_PATH") returns null inspite environ[0]== "GCONV+PATH=./asdasd". (the *ep pointer in glibc's getenv.c point to the value set by execve inspite of the fact that at the start pf the loop ep is set to environ, or at least my limited knowledge of gdb yielded that).

the fix I stole from here: setting GIO_USE_VFS= before execveing pkexec. why?!?!

berdav commented 2 years ago

Hi, as detailed in #15 the new polkit versions set the GIO_USE_VFS global variable to the value local.

This value will break the loading of a library from a custom location, such as the one used in the exploit.

Sources: https://docs.gtk.org/gio/overview.html

https://bugs.freedesktop.org/show_bug.cgi?id=95487