The value for the SHELL variable was not found the /etc/shells file

Question

The value for the SHELL variable was not found the /etc/shells file

condesings opened this issue 3 years ago · comments

GLib: Cannot convert message: Could not open converter from “UTF-8” to “PWNKIT”
The value for the SHELL variable was not found the /etc/shells file

This incident has been reported.

instagmag · Answer 1 · Thu Jan 27 2022 02:06:33 GMT+0800 (China Standard Time)

GLib: Cannot convert message: Could not open converter from “UTF-8” to “PWNKIT” The value for the SHELL variable was not found the /etc/shells file

This incident has been reported.

./cve-2021-4034-poc
sh: 1: gcc: not found
GLib: Cannot convert message: Could not open converter from 'UTF-8' to 'PWNKIT'
The value for the SHELL variable was not found the /etc/shells file

Polkit
(pkexec --version)
pkexec version 0.105

KERNEL
(uname -a)
Linux new-server1 4.4.0-210-generic #242-Ubuntu SMP Fri Apr 16 09:57:56 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux

jrselzer · Answer 2 · Thu Jan 27 2022 15:07:51 GMT+0800 (China Standard Time)

If I change line #11 of cve-2021-4034.c to

"SHELL=/bin/bash"
the error message above is not coming up. Instead I get

=== AUTHENTICATING FOR org.freedesktop.policykit.exec ===
Authentication is needed to run `GCONV_PATH=./pwnkit.so:.' as the super user
Authenticating as: root
Password:

My system:

$ uname -a
Linux server 3.10.0-1160.42.2.el7.x86_64 #1 SMP Tue Aug 31 20:15:00 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux

$ cat /etc/redhat-release
Red Hat Enterprise Linux Server release 7.9 (Maipo)

$ rpm -q --whatprovides /bin/pkexec
polkit-0.112-26.el7.x86_64

Harry Kurn · Answer 3 · Thu Jan 27 2022 15:23:46 GMT+0800 (China Standard Time)

This exploitation technique doesn't use a valid shell. Why would you assign a valid shell when executing the vulnerable pkexec.

Important: this exploitation technique leaves traces in the logs (either
"The value for the SHELL variable was not found the /etc/shells file" or
"The value for environment variable [...] contains suscipious content").
However, please note that this vulnerability is also exploitable without
leaving any traces in the logs, but this is left as an exercise for the
interested reader.

https://qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt Read also execve().

Davide Berardi · Answer 4 · Thu Jan 27 2022 18:13:41 GMT+0800 (China Standard Time)

As @owl4ce said, the trick is to trigger an error print to hijack it.

If you set the variable to a valid shell the exploit will not work.

@instagmag your need to install the compiler (on debian / ubuntu: sudo apt install gcc)

jrselzer · Answer 5 · Thu Jan 27 2022 18:42:39 GMT+0800 (China Standard Time)

sorry, my fault. Now it's working.

Davide Berardi · Answer 6 · Fri Jan 28 2022 03:31:19 GMT+0800 (China Standard Time)

So I'll close this issue, if the problem re-arise I will re-open it.