module

Polkit D-Bus Authentication Bypass

Disclosed
2021-06-03
Created
2021-07-09

Description

A vulnerability exists within the polkit system service that can be leveraged by a local, unprivileged
attacker to perform privileged operations. In order to leverage the vulnerability, the attacker invokes a
method over D-Bus and kills the client process. This will occasionally cause the operation to complete without
being subjected to all of the necessary authentication.
The exploit module leverages this to add a new user with a sudo access and a known password. The new account
is then leveraged to execute a payload with root privileges.

Authors

Kevin Backhouse
Spencer McIntyre
jheysel-r7

Platform

Linux,Unix

Module Options

To display the available options, load the module within the Metasploit console and run the commands ‘show options’ or ‘show advanced’:


msf > use exploit/linux/local/polkit_dbus_auth_bypass
msf exploit(polkit_dbus_auth_bypass) > show targets
...targets...
msf exploit(polkit_dbus_auth_bypass) > set TARGET < target-id >
msf exploit(polkit_dbus_auth_bypass) > show options
...show and set options...
msf exploit(polkit_dbus_auth_bypass) > exploit

Title
NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.