Name | linux_pkexec_argc |
CVE | CVE-2021-4034 |
Exploit Pack | CANVAS |
Description | linux_pkexec_argc |
Notes | CVE Name: CVE-2021-4034 VENDOR: pkexec NOTES: Polkit is a component for controlling system-wide privileges in Unix-like operating systems. pkexec is a setuid binary that allows an authorized user to execute a program as nother user. pkexec fails to handle the case where the number of command-line arguments are zero (by convention argv[0] is the argument the program is run with), this allows an attacker to perform an out-of-bounds read & write to the adjacent object, which is the first environment variable. This primitive can be leveraged to load and run an arbitrary shared library with root privileges, given certain path & file conditions (directories created). This vulnerability has been present since pkexecs first version in 2009 and affects versions <= 0.120. The exploit was tested on: - Ubuntu Desktop 20.04 (pkexec 0.105) Currently supports: pkexec <= 0.120 VersionsAffected: Affects all versions from 0.113 to 0.120, a span of roughly 12 years coverage. Repeatability: Infinite References: - https://blog.qualys.com/vulnerabilities-threat-research/2022/01/25/pwnkit-local-privilege-escalation-vulnerability-discovered-in-polkits-pkexec-cve-2021-4034 CVE Url: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4034 Date public: 05/01/2022 CVSS: N/A |
Learn more about the CANVAS Exploit Pack here: CANVAS |