search

rapid7 / metasploit-framework

Metasploit Framework
https://www.metasploit.com/
Other
34.25k stars 14k forks source link

cve_2021_4034_pwnkit_lpe_pkexec: false positive CheckCode::Vulnerable #19590

Open bcoles opened 1 month ago

bcoles commented 1 month ago

CheckCode::Vulnerable is used in instances where a host is proven to be exploitable. However, the current check logic in cve_2021_4034_pwnkit_lpe_pkexec can only verify whether the system appears vulnerable, and should use CheckCode::Appears instead.

The check method logic is extremely aggressive (files and directories are created and deleted, and an executable file is uploaded and executed) as it uses the run_exploit method to determine if the host is vulnerable:

https://github.com/rapid7/metasploit-framework/blob/1a6cf9dfa77868e97953594b925ad1dedd376ad3/modules/exploits/linux/local/cve_2021_4034_pwnkit_lpe_pkexec.rb#L173-L178

After setting up the necessary conditions for exploitation, python is invoked and the resulting output is stored in the output variable:

https://github.com/rapid7/metasploit-framework/blob/1a6cf9dfa77868e97953594b925ad1dedd376ad3/modules/exploits/linux/local/cve_2021_4034_pwnkit_lpe_pkexec.rb#L249-L252

The check is considered successful (and thus the host is considered vulnerable) if the output does not contain "pkexec --version" (and is not blank):

https://github.com/rapid7/metasploit-framework/blob/1a6cf9dfa77868e97953594b925ad1dedd376ad3/modules/exploits/linux/local/cve_2021_4034_pwnkit_lpe_pkexec.rb#L259-L263

Although the original PoC apparently works on CentOS and is confirmed to work on Fedora, the module documentation suggests Fedora exhibits the same behaviour as a vulnerable host but is not vulnerable for unknown reasons:

https://github.com/rapid7/metasploit-framework/blob/1a6cf9dfa77868e97953594b925ad1dedd376ad3/documentation/modules/exploit/linux/local/cve_2021_4034_pwnkit_lpe_pkexec.md#L65-L69

To work around this, the module bails if the host is Fedora:

https://github.com/rapid7/metasploit-framework/blob/1a6cf9dfa77868e97953594b925ad1dedd376ad3/modules/exploits/linux/local/cve_2021_4034_pwnkit_lpe_pkexec.rb#L167-L171

Additionally, the module documentation says RHEL is not tested but assumed to exhibit the same behaviour as Fedora:

https://github.com/rapid7/metasploit-framework/blob/1a6cf9dfa77868e97953594b925ad1dedd376ad3/documentation/modules/exploit/linux/local/cve_2021_4034_pwnkit_lpe_pkexec.md#L132-L133

The module does not check if the system distro is RHEL. A quick test on RHEL9.0 shows the same behaviour as Fedora (exploitation fails, but check returns CheckCode::Vulnerable).

Thus, if a host is not detected as Fedora, but is not vulnerable due to the same unknown reason that Fedora is not vulnerable, then the host will be reported as CheckCode::Vulnerable. This is a oversight. The check method also does not account for other Linux distros in the Fedora family, including CentOS, Rocky Linux, Alma Linux, and RHEL, which may exhibit the same behaviour.

Without knowing the root cause of failure, the module should return CheckCode::Appears as the host is not proven to be exploitable.

For what it's worth, two different PoCs (https://github.com/PeterGottesman/pwnkit-exploit and https://github.com/arthepsy/CVE-2021-4034) and this exploit module all fail on an aarch64 host (despite check reporting CheckCode::Vulnerable):

$ make
gcc -o exploit exploit.c
make -C ./gconv BADCONV.so
make[1]: Entering directory '/home/user/pwnkit-exploit/gconv'
gcc -fPIC -shared badconv.c -o BADCONV.so
make[1]: Leaving directory '/home/user/pwnkit-exploit/gconv'
./exploit
Running exploit...
GLib: Cannot convert message: Could not open converter from “UTF-8” to “ZT”
The value for the SHELL variable was not found in the /etc/shells file

This incident has been reported.
make: *** [Makefile:12: run-exploit] Error 127
$ ./a.out 
GLib: Cannot convert message: Could not open converter from “UTF-8” to “PWNKIT”
The value for the SHELL variable was not found in the /etc/shells file

This incident has been reported.
msf6 exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > run

[*] Started reverse TCP handler on 192.168.0.178:4444 
[!] AutoCheck is disabled, proceeding with exploitation
[*] Detected payload arch: aarch64
[*] Detected host architecture: aarch64
[*] Locating pkexec...
[*] Found pkexec here: /usr/bin/pkexec
[*] Creating directory /tmp/.rcuvolvmvb
[*] /tmp/.rcuvolvmvb created
[*] Writing '/tmp/.rcuvolvmvb/klywts/klywts.so' (628 bytes) ...
[!] Verify cleanup of /tmp/.rcuvolvmvb
[*] Running python3 /tmp/.rcuvolvmvb/.hmexrkwss /usr/bin/pkexec /tmp/.rcuvolvmvb/klywts/klywts.so klywts tazzgrryuyon
[*] GLib: Cannot convert message: Could not open converter from “UTF-8” to “tazzgrryuyon”
The value for the SHELL variable was not found in the /etc/shells file

This incident has been reported.
[*] Exploit completed, but no session was created.
github-actions[bot] commented 8 hours ago

Hi!

This issue has been left open with no activity for a while now.

We get a lot of issues, so we currently close issues after 60 days of inactivity. It’s been at least 30 days since the last update here. If we missed this issue or if you want to keep it open, please reply here. You can also add the label "not stale" to keep this issue open!

As a friendly reminder: the best way to see this issue, or any other, fixed is to open a Pull Request.