berdav / cve-2021-4034 Goto Github PK

~/CVE-2021-4034 $ ./cve-2021-4034
~/CVE-2021-4034 $ echo $?
127
~/CVE-2021-4034 $ echo $UID
1000

It neither escalates privileges nor it prints pkexec usage. It just exits with 127 exit code.

~/CVE-2021-4034 $ ./cve-2021-4034
~/CVE-2021-4034 $ echo $?
127

I think it's an error related to environmental variables, how can I solve it?
If it is not an environmental variable problem, I would appreciate it if you could tell me the cause and solution.

When running the program, it throws this error: GLib: Cannot convert message: Could not open converter from “UTF-8” to “PWNKIT”

GLib: Cannot convert message: Could not open converter from “UTF-8” to “PWNKIT”
The value for the SHELL variable was not found the /etc/shells file

This incident has been reported.

What I need is to deploy a safe C binary to detect this CVE . Return 1 code if not already patched without actually rooting the system, return 0 if the system is patched.
Can this RFE be added ?

Nice code, but IMHO you should show maybe a screenshot what happens if the hole is still there and what's happening when the hole is patched.

Any help?

🙂

`
zanyxdev@xxxxxxx:~/forks_projets/CVE-2021-4034$ ./cve-2021-4034
pkexec --version |
--help |
--disable-internal-agent |
[--user username] PROGRAM [ARGUMENTS...]

See the pkexec manual page for more details.
zanyxdev@xxxxxxx:~/forks_projets/CVE-2021-4034$ pkexec --version
pkexec version 0.105
`

Linux xxxxxx 5.10.0-11-amd64 #1 SMP Debian 5.10.92-1 (2022-01-18) x86_64 GNU/Linux
policykit-1-doc/stable-security,stable-security 0.105-31+deb11u1 all
policykit-1-gnome/stable,now 0.105-7 amd64
policykit-1-gnome/stable 0.105-7 i386
policykit-1/stable-security,now 0.105-31+deb11u1 amd64
policykit-1/stable-security 0.105-31+deb11u1 i386

Running the script, I receive /bin/sh: 0: Illegal option -p on raspbian stretch

some systems still use /bin/true, might fit into readme

GLib: Cannot convert message: Could not open converter from “UTF-8” to “PWNKIT”
The value for the SHELL variable was not found the /etc/shells file

Hey @berdav ! I just wanted to see if you had a license formally authorizing use and such. It's a great PoC, thanks for putting this together!

1

Hello, thank you for the great idea and the beautiful code you wrote.
I wonder if there is a way we can switch to another user instead of root?I mean, is there any way to change this line setuid(0); to something like setuser(root); ?
or better to ask, how to give the user's name instead of the user's uid?

I know my question may seem ridiculous, but I would be grateful if you could help me.

Thank you

exploit gets killed the moment it executes execve
I tried printing after execve line but it doesn't execute after that line, exit code is 137

I am an apache user and have reverse shell
polkit version: 0.112-26.el7_9.1
Linux 3.10.0-1160.59.1.el7.x86_64
CentOs 7

HMM...... Wazuh was killing it..

GLib: Cannot convert message: Could not open converter from "UTF-8" to "PWNKIT"

^