Share
## https://sploitus.com/exploit?id=CFE3102D-90DC-50DB-8D7D-CFED76AAE825
<h1 style="font-size:10vw" align="left">CVE-2021-3560 - Polkit Local Privilege Escalation</h1>


<img src="https://img.shields.io/badge/CVSS:3.1%20Score%20-7.8 HIGH-red"> <img src="https://img.shields.io/badge/Vulnerability%20Types%20-Privilege%20Escalation-blue"> <img src="https://img.shields.io/badge/Tested%20On%3F-Ubuntu%2020.04.1-blued"> <img src="https://img.shields.io/badge/-Ubuntu%2020.04.2-blued">


******
โš ๏ธ *For educational and authorized security research purposes only*


## Original Exploit Authors
Very grateful to the original PoC author [@UNICORDev](https://unicord.dev) by ([@NicPWNs](https://github.com/NicPWNs) and [@Dev-Yeoj](https://github.com/Dev-Yeoj))


## Description
It was found that polkit could be tricked into bypassing the credential checks for D-Bus requests, elevating the privileges of the requestor to the root user. This flaw could be used by an unprivileged local attacker to, for example, create a new local administrator. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

## Demo
![polkit](https://github.com/asepsaepdin/CVE-2021-3560/assets/122620685/224164df-81aa-4864-8f0d-55777d79a76a)


******
## Step Guides
1. Install git, then clone the script from the github repository:

    ```bash
   sudo apt install git python3 -y
   git clone https://github.com/asepsaepdin/CVE-2021-3560.git
   ```
    
2. Run the PoC script using command:

   ```bash
   python3 exploit-CVE-2021-3560.py -u hacker -p password
   ```

   > **Notes**: specify -u options with the intended username and -p options with the intended password

3. Verify the created user using command:
   ```bash
   su hacker
   id
   ```
   
******
## Credits
- https://nvd.nist.gov/vuln/detail/CVE-2021-3560
- https://app.hackthebox.com/machines/Paper
- https://github.blog/2021-06-10-privilege-escalation-polkit-root-on-linux-with-bug/
- https://github.com/Almorabea/Polkit-exploit/blob/main/CVE-2021-3560.py