module
Polkit D-Bus Authentication Bypass
Disclosed | Created |
---|---|
2021-06-03 | 2021-07-09 |
Disclosed
2021-06-03
Created
2021-07-09
Description
A vulnerability exists within the polkit system service that can be leveraged by a local, unprivileged
attacker to perform privileged operations. In order to leverage the vulnerability, the attacker invokes a
method over D-Bus and kills the client process. This will occasionally cause the operation to complete without
being subjected to all of the necessary authentication.
The exploit module leverages this to add a new user with a sudo access and a known password. The new account
is then leveraged to execute a payload with root privileges.
attacker to perform privileged operations. In order to leverage the vulnerability, the attacker invokes a
method over D-Bus and kills the client process. This will occasionally cause the operation to complete without
being subjected to all of the necessary authentication.
The exploit module leverages this to add a new user with a sudo access and a known password. The new account
is then leveraged to execute a payload with root privileges.
Authors
Kevin Backhouse
Spencer McIntyre
jheysel-r7
Spencer McIntyre
jheysel-r7
Platform
Linux,Unix
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands ‘show options’ or ‘show advanced’:

NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.