Jeanback1/CVE-2021-3560-exploit

# CVE-2021-3560 — Polkit Privilege Escalation CVE-2021-3560 is a local privilege escalation vulnerability in **Polkit** (formerly PolicyKit), the authorization framework used by Linux desktop environments. A local, unprivileged attacker can exploit a race condition in the `accounts-daemon` D-Bus interface to create a privileged user, set its password, and ultimately gain **root** access. ## How It Works ### Background: Polkit + accounts-daemon `accounts-daemon` (`org.freedesktop.Accounts`) is a system D-Bus service that manages user accounts (creation, deletion, password changes, etc.). It exposes methods such as: | Method | Action | |---|---| | `CreateUser` | Creates a new system user | | `SetPassword` | Sets the user password | | `DeleteUser` | Deletes a user | These operations require authorization. When a D-Bus call arrives, **Polkit** sits between the caller and `accounts-daemon`: Caller → D-Bus → Polkit (authorization check) → accounts-daemon (action) Polkit decides whether the caller has permission, and if so, forwards the request to `accounts-daemon` for execution. ### The Race Condition The vulnerability is a **TOCTOU (Time Of Check, Time Of Use)** race. Here's the key insight: 1. A D-Bus method call is sent to `accounts-daemon` (e.g., `CreateUser`). 2. **Polkit** receives it and performs the authorization check — often relying on a polkit agent dialog that times out, returning a "not authorized" response. However, due to a bug, the timeout/error handling in polkit incorrectly treats certain error conditions as success or leaves the daemon-side processing in a partially-authorized state. 3. If the D-Bus call is **killed at precisely the right moment** — after Polkit's authorization decision is made but before `accounts-daemon` finishes processing — the user creation goes through without proper authentication, yet the user record ends up **incomplete** (e.g., no password, no home directory). 4. The attacker can then use the same race to call `SetPassword` on the newly-created (but unauthenticated) user, or the incomplete state itself grants elevated privileges. In short: kill the request at the right time, and you bypass authentication. ### What the Exploit Does This `exploit.sh` script automates the full attack chain: | Step | Action | |---|---| | **1. Time calibration** | Uses a dummy `CreateUser("nobody")` call to measure how long the D-Bus round-trip takes, computing the "kill window" | | **2. User creation** | Sends a `CreateUser` call for a chosen username, starts it in the background, sleeps for the computed window, then kills it — exploiting the race to create an unauthorized user | | **3. Password set** | Once the user exists (in an incomplete state), sends a `SetPassword` call with the same race technique to assign a known password | | **4. Privilege escalation** | Uses `su` to switch to the new user, runs `sudo` (which works because the user was created through a bypassed authorization path), copies `/bin/bash` to `/var/tmp/bash` with **SUID root**, and spawns a root shell | ## Usage # Clone the repository git clone https://github.com/Jeanback1/CVE-2021-3560.git cd CVE-2021-3560 # Make the exploit executable chmod +x exploit.sh # Run it ./exploit.sh Once the exploit completes, you will have a root shell: whoami # root ### Example output  ## Affected Versions | Component | Affected | |---|---| | **polkit** | ≤ 0.119 (unpatched) | | **accounts-daemon** (accountsservice) | All versions using affected polkit | The vulnerability was patched in polkit **0.120** and later. Patched distributions (non-exhaustive): - Ubuntu 20.04+ (with security updates after June 2021) - Debian 11+ (with security updates) - RHEL 8+ / CentOS 8+ (with erratum) - Fedora 34+ ## Disclaimer This repository is for **educational and authorized security research only**. Do not use this exploit on systems you do not own or have explicit permission to test. The author assumes no liability for misuse.