Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Polkit is a SUID-root program installed on all Linux Distros. It is used to control system-wide privielges in Unix-like operating systems. Additionally, non-privileged processes can use this as a proxy to communicate with privileges processes.

The beginning of pkexec (sudo-like binary) main function processes command line arguments and searches for the program to be executed in the directories provided by the $PATH environment variable. When parsing this information, it makes the assumption that argv is not empty.

When argv is empty, it starts a FOR loop with an iterator starting at 1 with no validation for argv being empty. This leads to an out of bounds read and out of bounds write on argv[1].

What do we actually overwrite? And what with? When execve calls a new program, the kernel copies the arguments and ENV strings to the end of the new programs stack. Each element in an array contains a pointer to a string for either the ARGV array and ENVP, with the ending containing a NULL.

As a result, if argv[1] is the used, then it is the same as envp[0]. It first does this by reading from argv[1], which is really envp[0]. It takes this value (which is controlled by us) to find the program based upon the path.

Once it finds the path for the program, it writes it back to argv[1]. When calling a SETUID binary, many ENV variables are thrown out in order to not allow for trivial privilege escalation. Since this is really envp[1], this gives us an interesting primitive: the ability to add environmental variables back into the process! This is a non-memory corruption primitive, which means it is consistent, but powerful primitive. Data-only attacks are becoming more and more popular.

The exploitation is somewhat limited since pkexec clears its ENV only a few lines later. Is this even possible to exploit then? It turns out, there is a way to get an ENV variable used early enough in the program via the error handling!

In pkexec can print error messages to stderr via the call to g_printerr. It normally prints messages in the UTF-8 charset. To convert messages from one charset to another, iconv_open executes a shared library. However, the environmental variable GCONV_PATH can be used to load this in by force the above function being called.

So, by adding in the GCONV_PATH environmental variable, a shared library is loaded in as root. This is a complete user to root privilege escalation within most distros of Linux. Damn, that is impactful!