You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
CheckCode::Vulnerable is used in instances where a host is proven to be exploitable. However, the current check logic in cve_2021_4034_pwnkit_lpe_pkexec can only verify whether the system appears vulnerable, and should use CheckCode::Appears instead.
The check method logic is extremely aggressive (files and directories are created and deleted, and an executable file is uploaded and executed) as it uses the run_exploit method to determine if the host is vulnerable:
Although the original PoC apparently works on CentOS and is confirmed to work on Fedora, the module documentation suggests Fedora exhibits the same behaviour as a vulnerable host but is not vulnerable for unknown reasons:
Untested on Redhat, but I assume similar to Fedora.
The module does not check if the system distro is RHEL. A quick test on RHEL9.0 shows the same behaviour as Fedora (exploitation fails, but check returns CheckCode::Vulnerable).
Thus, if a host is not detected as Fedora, but is not vulnerable due to the same unknown reason that Fedora is not vulnerable, then the host will be reported as CheckCode::Vulnerable. This is a oversight. The check method also does not account for other Linux distros in the Fedora family, including CentOS, Rocky Linux, Alma Linux, and RHEL, which may exhibit the same behaviour.
Without knowing the root cause of failure, the module should return CheckCode::Appears as the host is not proven to be exploitable.
$ make
gcc -o exploit exploit.c
make -C ./gconv BADCONV.so
make[1]: Entering directory '/home/user/pwnkit-exploit/gconv'
gcc -fPIC -shared badconv.c -o BADCONV.so
make[1]: Leaving directory '/home/user/pwnkit-exploit/gconv'
./exploit
Running exploit...
GLib: Cannot convert message: Could not open converter from “UTF-8” to “ZT”
The value for the SHELL variable was not found in the /etc/shells file
This incident has been reported.
make: *** [Makefile:12: run-exploit] Error 127
$ ./a.out
GLib: Cannot convert message: Could not open converter from “UTF-8” to “PWNKIT”
The value for the SHELL variable was not found in the /etc/shells file
This incident has been reported.
msf6 exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > run
[*] Started reverse TCP handler on 192.168.0.178:4444
[!] AutoCheck is disabled, proceeding with exploitation
[*] Detected payload arch: aarch64
[*] Detected host architecture: aarch64
[*] Locating pkexec...
[*] Found pkexec here: /usr/bin/pkexec
[*] Creating directory /tmp/.rcuvolvmvb
[*] /tmp/.rcuvolvmvb created
[*] Writing '/tmp/.rcuvolvmvb/klywts/klywts.so' (628 bytes) ...
[!] Verify cleanup of /tmp/.rcuvolvmvb
[*] Running python3 /tmp/.rcuvolvmvb/.hmexrkwss /usr/bin/pkexec /tmp/.rcuvolvmvb/klywts/klywts.so klywts tazzgrryuyon
[*] GLib: Cannot convert message: Could not open converter from “UTF-8” to “tazzgrryuyon”
The value for the SHELL variable was not found in the /etc/shells file
This incident has been reported.
[*] Exploit completed, but no session was created.
The text was updated successfully, but these errors were encountered:
This issue has been left open with no activity for a while now.
We get a lot of issues, so we currently close issues after 60 days of inactivity. It’s been at least 30 days since the last update here.
If we missed this issue or if you want to keep it open, please reply here. You can also add the label "not stale" to keep this issue open!
As a friendly reminder: the best way to see this issue, or any other, fixed is to open a Pull Request.
CheckCode::Vulnerable
is used in instances where a host is proven to be exploitable. However, the currentcheck
logic in cve_2021_4034_pwnkit_lpe_pkexec can only verify whether the system appears vulnerable, and should useCheckCode::Appears
instead.The
check
method logic is extremely aggressive (files and directories are created and deleted, and an executable file is uploaded and executed) as it uses therun_exploit
method to determine if the host is vulnerable:metasploit-framework/modules/exploits/linux/local/cve_2021_4034_pwnkit_lpe_pkexec.rb
Lines 173 to 178 in 1a6cf9d
After setting up the necessary conditions for exploitation,
python
is invoked and the resulting output is stored in theoutput
variable:metasploit-framework/modules/exploits/linux/local/cve_2021_4034_pwnkit_lpe_pkexec.rb
Lines 249 to 252 in 1a6cf9d
The check is considered successful (and thus the host is considered vulnerable) if the
output
does not contain"pkexec --version"
(and is not blank):metasploit-framework/modules/exploits/linux/local/cve_2021_4034_pwnkit_lpe_pkexec.rb
Lines 259 to 263 in 1a6cf9d
Although the original PoC apparently works on CentOS and is confirmed to work on Fedora, the module documentation suggests Fedora exhibits the same behaviour as a vulnerable host but is not vulnerable for unknown reasons:
metasploit-framework/documentation/modules/exploit/linux/local/cve_2021_4034_pwnkit_lpe_pkexec.md
Lines 65 to 69 in 1a6cf9d
To work around this, the module bails if the host is Fedora:
metasploit-framework/modules/exploits/linux/local/cve_2021_4034_pwnkit_lpe_pkexec.rb
Lines 167 to 171 in 1a6cf9d
Additionally, the module documentation says RHEL is not tested but assumed to exhibit the same behaviour as Fedora:
metasploit-framework/documentation/modules/exploit/linux/local/cve_2021_4034_pwnkit_lpe_pkexec.md
Lines 132 to 133 in 1a6cf9d
The module does not check if the system distro is RHEL. A quick test on RHEL9.0 shows the same behaviour as Fedora (exploitation fails, but check returns
CheckCode::Vulnerable
).Thus, if a host is not detected as Fedora, but is not vulnerable due to the same unknown reason that Fedora is not vulnerable, then the host will be reported as
CheckCode::Vulnerable
. This is a oversight. Thecheck
method also does not account for other Linux distros in the Fedora family, including CentOS, Rocky Linux, Alma Linux, and RHEL, which may exhibit the same behaviour.Without knowing the root cause of failure, the module should return
CheckCode::Appears
as the host is not proven to be exploitable.For what it's worth, two different PoCs (https://github.com/PeterGottesman/pwnkit-exploit and https://github.com/arthepsy/CVE-2021-4034) and this exploit module all fail on an aarch64 host (despite
check
reportingCheckCode::Vulnerable
):The text was updated successfully, but these errors were encountered: