Does linpeas still detect CVE-2021-3560?

peass-ng / PEASS-ng

PEASS - Privilege Escalation Awesome Scripts SUITE (with colors)

https://book.hacktricks.xyz

Other

15.59k stars 3.04k forks source link

Does linpeas still detect CVE-2021-3560? #339

Open LevitatingBusinessMan opened 1 year ago

LevitatingBusinessMan commented 1 year ago

I was doing the HackTheBox box "Paper", which uses the polkit CVE-2021-3560 for privilege escalation.

In the walkthrough for this box, linpeas suggests the CVE in the CVEs Check section with a red on yellow background. But on the latest release of linpeas the CVE is not even suggested.

LevitatingBusinessMan commented 1 year ago

I just saw it falsely detect it on another box (investigation).

jordytello commented 1 year ago

Can confirm the same is occurring in my case as well while working on Paper. I see this has been previously reported 2 times as well at least(https://github.com/carlospolop/PEASS-ng/issues/332 and https://github.com/carlospolop/PEASS-ng/issues/269)?

Trying to see what may be behind this.

jordytello commented 1 year ago

If you run this command,

yum list installed | grep polkit

Then Polkit does not even appear to show up as an installed package if I understand this correctly (it's a CentOS server).

Welcome any correction to my understanding; thanks! the suggestion in #332 does appear to work though (at least the raw command appears to meet the condition.

LevitatingBusinessMan commented 1 year ago

Ah, sorry for the duplicate. These issues should probably be merged.

The walkthrough of paper says that it should detect it, so something must've changed. Diving into the commits changing that code might give some clarity. Might do that later.

carlospolop commented 1 year ago

hi guys! did you figure this out?

LevitatingBusinessMan commented 1 year ago

My only guess is that the changes in https://github.com/carlospolop/PEASS-ng/commit/999fcff broke the detection. I will investigate further.

LevitatingBusinessMan commented 1 year ago

So there's two issues with that commit that breaks detection on the paper box. The first issue is the polkit package is searched with yum installed of rpm.

yum list installed does not show any polkit packages on paper.

In this box the package was most likely manually installed with rpm which is why it doesn't show up in yum.

The new query also only searches for version 0.117-2. The CVE was patched in 0.119 so it's missing out on a lot of vulnerable versions.

It used to also check 0.115-6 which is installed on the box.

I am also not sure why it would search for those exact pkgrel versions.

I also think searching for packages via rpm should always be preferred.

There's currently also an entirely unused variable polkitVersion which gets the version from systemctl.