pkwned: Proof of Concept for CVE-2021-4034 This PoC will run PAYLOAD_PATH (as defined in constants.h) with root privileges from a vulnerable version of pkexec running on glibc. The directory "GCONV_PATH=." needs to contain an executable file named after the directory containing the gconv module. As outlined in the Qualys advisory [1], this will produce a syslog message. I found two approaches so far to prevent that: * By using g_find_program_in_path, pkexec does an access() check using g_file_test and another explicit one afterwards, which enables a race condition (by deleting "GCONV_PATH=./gconv" in between) to call g_printerr without log_message: 641 if (access (path, F_OK) != 0) 642 { 643 g_printerr ("Error accessing %s: %s\n", path, g_strerror (errno)); 644 goto out; 645 } This repository contains the gconv-fuse utility that mounts a FUSE filesystem over "GCONV_PATH=.", which appears empty after one call of access("gconv", X_OK). It only works if the FUSE user_allow_other configuration option is enabled. * If pkexec can be prevented from reading /etc/shells, this will also error out without logging: 356 if (!g_file_get_contents ("/etc/shells", 357 &contents, 358 NULL, /* gsize *length */ 359 &error)) 360 { 361 g_printerr ("Error getting contents of /etc/shells: %s\n", error->message); 362 g_error_free (error); 363 goto out; 364 } Mount namespaces can be used to mount an unreadable file over it, but that requires a user namespace as well, mapping an unprivileged user to root and rendering pkexec's setuid bit ineffective (e.g. "unshare -r -u -m"). Note that GLib has merged a fix for g_find_program_in_path (probably for next stable versions after v2.70.3 and v2.71.0) which will make this exploit infeasible by always returning actual full paths. [2] [1] https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt [2] https://gitlab.gnome.org/GNOME/glib/-/commit/13ee46538f901a8eca8e7a4c167a8838ed0858d4