This repository contains an exploit of CVE-2021-4034, a local
privilege escalation in pkexec. This implementation is based on that
described in the CVE
disclosure, which you should read.
If this works on your machine, it means you are vulnerable. To address
this, either update polkit to a patched version, or disable the setuid
bit on pkexec with the following:
$ sudo chmod a-s $(which pkexec)
This exploit is dangerously easy to write based on the information in the disclosure, so patch all of your machines ASAP.
To run this exploit, simply run make in the top level
directory. This will:
- compile
exploit.c, which runs the exploit - compile
gconv/badconv.c, which contains the payload - Run
./exploit
If this drops you into a shell as root, your system is vulnerable.
If you get the following output, you succesfully mitigated the bug
using the above chmod command:
Running exploit...
GLib: Cannot convert message: Could not open converter from “UTF-8” to “ZT”
pkexec must be setuid root
If you get the pkexec help message as the output, your system was
likely already patched.
This implementation should work on any vulnerable systems, including Fedora 34+ and some versions of OpenSUSE which seem to not be vulnerable to some implementations. Specifically, this will work even if your system has a version of polkit which disables GVFS (added here). That being said, I have no formal experience with computer security and it may report that your system is patched, even if it is still vulnerable to this or other similar exploits. As such, you should make sure that you keep your systems updated, listen to the people who know what they are talking about, and always eat your vegetables.