leviathan/SKELETONKEY
1
0
Fork 0
Code Issues Pull Requests Actions 21 Packages Projects Releases Wiki Activity

Phase 7: Pwnkit (CVE-2021-4034) detect-only module

Browse Source 
First USERSPACE LPE in IAMROOT (every prior module is kernel). Same
iamroot_module interface — the difference is the affected-version
check is package-version-based rather than kernel-version-based.

- modules/pwnkit_cve_2021_4034/:
  - iamroot_modules.{c,h}: detect() locates setuid pkexec (one of
    /usr/bin/pkexec, /usr/sbin/pkexec, /bin/pkexec, /sbin/pkexec,
    /usr/local/bin/pkexec) and parses 'pkexec --version' output.
    Handles BOTH version-string formats: legacy '0.105'/'0.120'
    (older polkit) AND modern bare-integer '121'/'126' (post-0.121
    rename to single-number scheme). Reports VULNERABLE on parse
    failure (conservative).
  - exploit() returns IAMROOT_PRECOND_FAIL with a 'not yet
    implemented' message; full Qualys-PoC follow-up is the next
    commit. ~200 lines including embedded .so generator.
  - MODULE.md documents the bug, affected ranges, distro backport
    landscape (RHEL 7/8, Ubuntu focal/impish, Debian buster/bullseye
    each have their own backported polkit version).
  - Embedded auditd + sigma detection rules:
    auditd: pkexec watch + execve audit
    sigma:  pkexec invocation + suspicious env (GCONV_PATH, CHARSET)

- core/registry.h adds iamroot_register_pwnkit() declaration.
- iamroot.c main() registers pwnkit.
- Makefile gains the pwnkit family as a separate object set.

Verified end-to-end on kctf-mgr (modern polkit 126):
  iamroot --list  → 8 modules
  iamroot --scan  → pwnkit reports 'version 126 ≥ 0.121 (fixed)'
  iamroot --detect-rules --format=auditd | grep pwnkit → emits
This commit is contained in:
KaraZajac
2026-05-16 20:07:40 -04:00
parent 28ad566964
commit 43e290b224
8 changed files with 278 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files
ROADMAP.md
+6 -2
View File
@@ -133,12 +133,16 @@ primitive** that other modules can chain. Bundled because:
- [ ] Idempotent re-run safety: copy_fail_family's apply is already
idempotent (overwrites conf files). Re-verify per module.
## Phase 7+ — More modules
## Phase 7+ — More modules (started 2026-05-16)
Backfill of historical and recent LPEs as time allows:
- [ ] **CVE-2021-3493** — overlayfs nested-userns LPE
- [ ] **CVE-2021-4034** — Pwnkit (pkexec env handling)
- [x] **CVE-2021-4034** — Pwnkit (pkexec env handling): 🔵 detect-only
landed. Version parser handles both formats: "0.X.Y" (older
polkit) and bare "121"/"126" (modern). Reports VULNERABLE if
pkexec is setuid AND version < 121. First userspace LPE in the
corpus. Full Qualys-PoC exploit is the next Phase 7 commit.
- [ ] **CVE-2022-2588** — net/sched route4 dead UAF
- [ ] **CVE-2023-2008** — vmwgfx OOB write
- [ ] **CVE-2024-1086** — netfilter nf_tables UAF