The value for the SHELL variable was not found the /etc/shells file

berdav / CVE-2021-4034

CVE-2021-4034 1day

MIT License

1.94k stars 508 forks source link

The value for the SHELL variable was not found the /etc/shells file #9

Closed condesings closed 2 years ago

condesings commented 2 years ago

GLib: Cannot convert message: Could not open converter from “UTF-8” to “PWNKIT” The value for the SHELL variable was not found the /etc/shells file

This incident has been reported.

instagmag commented 2 years ago

GLib: Cannot convert message: Could not open converter from “UTF-8” to “PWNKIT” The value for the SHELL variable was not found the /etc/shells file

This incident has been reported.

./cve-2021-4034-poc sh: 1: gcc: not found GLib: Cannot convert message: Could not open converter from 'UTF-8' to 'PWNKIT' The value for the SHELL variable was not found the /etc/shells file

Polkit (pkexec --version) pkexec version 0.105

KERNEL (uname -a) Linux new-server1 4.4.0-210-generic #242-Ubuntu SMP Fri Apr 16 09:57:56 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux

jrselzer commented 2 years ago

If I change line #11 of cve-2021-4034.c to

"SHELL=/bin/bash" the error message above is not coming up. Instead I get

=== AUTHENTICATING FOR org.freedesktop.policykit.exec ===
Authentication is needed to run `GCONV_PATH=./pwnkit.so:.' as the super user
Authenticating as: root
Password:

My system:

$ uname -a
Linux server 3.10.0-1160.42.2.el7.x86_64 #1 SMP Tue Aug 31 20:15:00 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux

$ cat /etc/redhat-release
Red Hat Enterprise Linux Server release 7.9 (Maipo)

$ rpm -q --whatprovides /bin/pkexec
polkit-0.112-26.el7.x86_64

owl4ce commented 2 years ago

This exploitation technique doesn't use a valid shell. Why would you assign a valid shell when executing the vulnerable pkexec.

Important: this exploitation technique leaves traces in the logs (either
"The value for the SHELL variable was not found the /etc/shells file" or
"The value for environment variable [...] contains suscipious content").
However, please note that this vulnerability is also exploitable without
leaving any traces in the logs, but this is left as an exercise for the
interested reader.

https://qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt Read also execve().

berdav commented 2 years ago

As @owl4ce said, the trick is to trigger an error print to hijack it.

If you set the variable to a valid shell the exploit will not work.

@instagmag your need to install the compiler (on debian / ubuntu: sudo apt install gcc)

jrselzer commented 2 years ago

sorry, my fault. Now it's working.

berdav commented 2 years ago

So I'll close this issue, if the problem re-arise I will re-open it.