Share
## https://sploitus.com/exploit?id=7450F8FE-872C-53C6-A84E-E0C2C05646A1
# CVE-2021-3560 โ€” Polkit Privilege Escalation

CVE-2021-3560 is a local privilege escalation vulnerability in **Polkit** (formerly PolicyKit), the authorization framework used by Linux desktop environments. A local, unprivileged attacker can exploit a race condition in the `accounts-daemon` D-Bus interface to create a privileged user, set its password, and ultimately gain **root** access.

---

## How It Works

### Background: Polkit + accounts-daemon

`accounts-daemon` (`org.freedesktop.Accounts`) is a system D-Bus service that manages user accounts (creation, deletion, password changes, etc.). It exposes methods such as:

| Method | Action |
|---|---|
| `CreateUser` | Creates a new system user |
| `SetPassword` | Sets the user password |
| `DeleteUser` | Deletes a user |

These operations require authorization. When a D-Bus call arrives, **Polkit** sits between the caller and `accounts-daemon`:

```
Caller  โ†’  D-Bus  โ†’  Polkit (authorization check)  โ†’  accounts-daemon (action)
```

Polkit decides whether the caller has permission, and if so, forwards the request to `accounts-daemon` for execution.

### The Race Condition

The vulnerability is a **TOCTOU (Time Of Check, Time Of Use)** race. Here's the key insight:

1. A D-Bus method call is sent to `accounts-daemon` (e.g., `CreateUser`).
2. **Polkit** receives it and performs the authorization check โ€” often relying on a polkit agent dialog that times out, returning a "not authorized" response. However, due to a bug, the timeout/error handling in polkit incorrectly treats certain error conditions as success or leaves the daemon-side processing in a partially-authorized state.
3. If the D-Bus call is **killed at precisely the right moment** โ€” after Polkit's authorization decision is made but before `accounts-daemon` finishes processing โ€” the user creation goes through without proper authentication, yet the user record ends up **incomplete** (e.g., no password, no home directory).
4. The attacker can then use the same race to call `SetPassword` on the newly-created (but unauthenticated) user, or the incomplete state itself grants elevated privileges.

In short: kill the request at the right time, and you bypass authentication.

### What the Exploit Does

This `exploit.sh` script automates the full attack chain:

| Step | Action |
|---|---|
| **1. Time calibration** | Uses a dummy `CreateUser("nobody")` call to measure how long the D-Bus round-trip takes, computing the "kill window" |
| **2. User creation** | Sends a `CreateUser` call for a chosen username, starts it in the background, sleeps for the computed window, then kills it โ€” exploiting the race to create an unauthorized user |
| **3. Password set** | Once the user exists (in an incomplete state), sends a `SetPassword` call with the same race technique to assign a known password |
| **4. Privilege escalation** | Uses `su` to switch to the new user, runs `sudo` (which works because the user was created through a bypassed authorization path), copies `/bin/bash` to `/var/tmp/bash` with **SUID root**, and spawns a root shell |

---

## Usage

```bash
# Clone the repository
git clone https://github.com/Jeanback1/CVE-2021-3560.git
cd CVE-2021-3560

# Make the exploit executable
chmod +x exploit.sh

# Run it
./exploit.sh
```

Once the exploit completes, you will have a root shell:

```bash
whoami
# root
```

### Example output

![Exploit execution](foto.png)

---

## Affected Versions

| Component | Affected |
|---|---|
| **polkit** | โ‰ค 0.119 (unpatched) |
| **accounts-daemon** (accountsservice) | All versions using affected polkit |

The vulnerability was patched in polkit **0.120** and later.

Patched distributions (non-exhaustive):
- Ubuntu 20.04+ (with security updates after June 2021)
- Debian 11+ (with security updates)
- RHEL 8+ / CentOS 8+ (with erratum)
- Fedora 34+

---

## Disclaimer

This repository is for **educational and authorized security research only**. Do not use this exploit on systems you do not own or have explicit permission to test. The author assumes no liability for misuse.