 leviathan
|
f1bd896ca8
|
Phase 7: Pwnkit FULL exploit (Qualys-style PoC) + DEFENDERS.md
Pwnkit: 🔵 → 🟢
- Implements the canonical Qualys-style PoC end-to-end:
1. Locate setuid pkexec
2. mkdtemp working directory under /tmp
3. Detect target's gcc/cc (fail-soft if absent)
4. Write payload.c (gconv constructor: unsetenv hostile vars,
setuid(0), execle /bin/sh -p with clean PATH)
5. gcc -shared -fPIC payload.c -o pwnkit/PWNKIT.so
6. Write gconv-modules cache pointing UTF-8// → PWNKIT//
7. execve(pkexec, NULL_argv, envp{GCONV_PATH=workdir/pwnkit,
PATH=GCONV_PATH=., CHARSET=PWNKIT, SHELL=pwnkit})
→ argc=0 triggers argv-overflow-into-envp; pkexec re-execs
with PATH set to our tmpdir; libc's iconv loads PWNKIT.so
as root; constructor pops /bin/sh with uid=0.
- Cleanup: removes /tmp/iamroot-pwnkit-* workdirs.
- Auto-refuses on patched hosts (re-runs detect() first).
- GCC -Wformat-truncation warnings fixed by sizing path buffers
generously (1024/2048 bytes — way more than needed in practice).
Verified end-to-end on kctf-mgr (polkit 126 = patched):
iamroot --exploit pwnkit --i-know
→ detect() says fixed → refuses cleanly. Correct behavior.
Vulnerable-kernel validation is Phase 4 CI matrix work.
docs/DEFENDERS.md — blue-team deployment guide:
- TL;DR: scan, deploy rules, mitigate, watch
- Operations cheat sheet (--list, --scan, --detect-rules, --mitigate)
- Audit-key table mapping rule keys to modules to caught behavior
- Fleet-scanning recipe (ssh + jq aggregation)
- Known false-positive shapes per rule with tuning hints
CVES.md: pwnkit row updated 🔵 → 🟢.
ROADMAP.md: Phase 7 Pwnkit checkbox marked complete.
|
2026-05-16 20:13:11 -04:00 |
|
|
leviathan
|
43e290b224
|
Phase 7: Pwnkit (CVE-2021-4034) detect-only module
First USERSPACE LPE in IAMROOT (every prior module is kernel). Same
iamroot_module interface — the difference is the affected-version
check is package-version-based rather than kernel-version-based.
- modules/pwnkit_cve_2021_4034/:
- iamroot_modules.{c,h}: detect() locates setuid pkexec (one of
/usr/bin/pkexec, /usr/sbin/pkexec, /bin/pkexec, /sbin/pkexec,
/usr/local/bin/pkexec) and parses 'pkexec --version' output.
Handles BOTH version-string formats: legacy '0.105'/'0.120'
(older polkit) AND modern bare-integer '121'/'126' (post-0.121
rename to single-number scheme). Reports VULNERABLE on parse
failure (conservative).
- exploit() returns IAMROOT_PRECOND_FAIL with a 'not yet
implemented' message; full Qualys-PoC follow-up is the next
commit. ~200 lines including embedded .so generator.
- MODULE.md documents the bug, affected ranges, distro backport
landscape (RHEL 7/8, Ubuntu focal/impish, Debian buster/bullseye
each have their own backported polkit version).
- Embedded auditd + sigma detection rules:
auditd: pkexec watch + execve audit
sigma: pkexec invocation + suspicious env (GCONV_PATH, CHARSET)
- core/registry.h adds iamroot_register_pwnkit() declaration.
- iamroot.c main() registers pwnkit.
- Makefile gains the pwnkit family as a separate object set.
Verified end-to-end on kctf-mgr (modern polkit 126):
iamroot --list → 8 modules
iamroot --scan → pwnkit reports 'version 126 ≥ 0.121 (fixed)'
iamroot --detect-rules --format=auditd | grep pwnkit → emits
|
2026-05-16 20:07:40 -04:00 |
|