Closed condesings closed 2 years ago
GLib: Cannot convert message: Could not open converter from “UTF-8” to “PWNKIT” The value for the SHELL variable was not found the /etc/shells file
This incident has been reported.
./cve-2021-4034-poc sh: 1: gcc: not found GLib: Cannot convert message: Could not open converter from 'UTF-8' to 'PWNKIT' The value for the SHELL variable was not found the /etc/shells file
Polkit (pkexec --version) pkexec version 0.105
KERNEL (uname -a) Linux new-server1 4.4.0-210-generic #242-Ubuntu SMP Fri Apr 16 09:57:56 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
If I change line #11 of cve-2021-4034.c to
"SHELL=/bin/bash"
the error message above is not coming up. Instead I get
=== AUTHENTICATING FOR org.freedesktop.policykit.exec ===
Authentication is needed to run `GCONV_PATH=./pwnkit.so:.' as the super user
Authenticating as: root
Password:
My system:
$ uname -a
Linux server 3.10.0-1160.42.2.el7.x86_64 #1 SMP Tue Aug 31 20:15:00 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
$ cat /etc/redhat-release
Red Hat Enterprise Linux Server release 7.9 (Maipo)
$ rpm -q --whatprovides /bin/pkexec
polkit-0.112-26.el7.x86_64
This exploitation technique doesn't use a valid shell. Why would you assign a valid shell when executing the vulnerable pkexec
.
Important: this exploitation technique leaves traces in the logs (either "The value for the SHELL variable was not found the /etc/shells file" or "The value for environment variable [...] contains suscipious content"). However, please note that this vulnerability is also exploitable without leaving any traces in the logs, but this is left as an exercise for the interested reader.
https://qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt Read also execve().
As @owl4ce said, the trick is to trigger an error print to hijack it.
If you set the variable to a valid shell the exploit will not work.
@instagmag your need to install the compiler (on debian / ubuntu: sudo apt install gcc
)
sorry, my fault. Now it's working.
So I'll close this issue, if the problem re-arise I will re-open it.
GLib: Cannot convert message: Could not open converter from “UTF-8” to “PWNKIT” The value for the SHELL variable was not found the /etc/shells file
This incident has been reported.