pkwned: Proof of Concept for CVE-2021-4034
This PoC will run PAYLOAD_PATH (as defined in constants.h) with root
privileges from a vulnerable version of pkexec running on glibc. The
directory "GCONV_PATH=." needs to contain an executable file named after the
directory containing the gconv module.
As outlined in the Qualys advisory [1], this will produce a syslog message.
I found two approaches so far to prevent that:
* By using g_find_program_in_path, pkexec does an access() check using
g_file_test and another explicit one afterwards, which enables a race
condition (by deleting "GCONV_PATH=./gconv" in between) to call
g_printerr without log_message:
641 if (access (path, F_OK) != 0)
642 {
643 g_printerr ("Error accessing %s: %s\n", path, g_strerror (errno));
644 goto out;
645 }
This repository contains the gconv-fuse utility that mounts a FUSE
filesystem over "GCONV_PATH=.", which appears empty after one call of
access("gconv", X_OK). It only works if the FUSE user_allow_other
configuration option is enabled.
* If pkexec can be prevented from reading /etc/shells, this will also error
out without logging:
356 if (!g_file_get_contents ("/etc/shells",
357 &contents,
358 NULL, /* gsize *length */
359 &error))
360 {
361 g_printerr ("Error getting contents of /etc/shells: %s\n", error->message);
362 g_error_free (error);
363 goto out;
364 }
Mount namespaces can be used to mount an unreadable file over it, but that
requires a user namespace as well, mapping an unprivileged user to root and
rendering pkexec's setuid bit ineffective (e.g. "unshare -r -u -m").
Note that GLib has merged a fix for g_find_program_in_path (probably for next
stable versions after v2.70.3 and v2.71.0) which will make this exploit
infeasible by always returning actual full paths. [2]
[1] https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt
[2] https://gitlab.gnome.org/GNOME/glib/-/commit/13ee46538f901a8eca8e7a4c167a8838ed0858d4