Skip to content

Remote Root Exploit via Log4Shell & PwnKit Vulnerabilities

  • Resources
  • News
  • Remote Root Exploit via Log4Shell & PwnKit Vulnerabilities

CovertSwarm demonstrating a full remote ‘root’ attack chain – enabled by Log4Shell (CVE-2021-44228) + PwnKit (CVE-2021-4034)

Over the past months there were several releases of new CVE’s, two of which especially have a major impact on modern systems. Today we are showing how easy it can be to go from an unauthenticated user to system access with root privileges within minutes. This is done by exploiting log4j (CVE-2021-44228) along with Polkit’s pkexec binary (CVE-2021-4034).

Proof of Concept Exploit

The vulnerable setup can be found in this github

Description

Diagram illustrating the Log4Shell (CVE-2021-44228) exploit process.

Credit: Fastly

The log4j vulnerability is present in the X-Api-Header and will be exploited by supplying an attacker-controlled LDAP Server that will in turn redirect the victim to load a malicious Java class. When the victim parses the new component and executes the payload supplied by the attacker, this causes remote code execution in the context of the user that runs the vulnerable application.

Screenshot of terminal showing root access achieved via PwnKit (CVE-2021-4034).

Going further with this, on compromise of the underlying operation system, the attacker attempts to gain root privileges by exploiting the Policy Kit pkexec binary. Since the vulnerability was present on the operation system the attacker obtains root privileges within minutes of gaining the initial foothold on the operation system.

Remediation

Vendor patches have been released for both vulnerabilities and it is recommended to patch the vulnerable systems immediately. A temporary solution for the Policy Kit exploit is to change the permissions of the present pkexec binary

chmod 0755 /usr/bin/pkexec

If the binary is not present at this path you can try to locate it with the following command

find / - name *’pkexec’* 2>/dev/null

 

References

https://www.covertswarm.com/post/critical-0-day-security-vulnerability-log4shell-rce

https://www.covertswarm.com/post/critical-0-day-vulnerability-in-polkit-pkexec-component

https://github.com/arthepsy/CVE-2021-4034

https://github.com/kubearmor/log4j-CVE-2021-44228

Close-up of a mechanical keyboard with red-lit keys, symbolizing offensive cybersecurity activity.

The Evolution of EDR Bypasses: A Historical Timeline

The relationship between Endpoint Detection and Response (EDR) solutions and bypass techniques represents one of cybersecurity’s most dynamic battlegrounds. They are a representation of Cybersecurity as…
Billy Giles, Head of Adversary Simulation at CovertSwarm North America, bringing over two decades of offensive cyber operations experience to strengthen constant cyber attack capabilities.

Billy Giles joins CovertSwarm as Head of Adversary Simulation for North America

CovertSwarm proudly welcomes Billy Giles as Head of Adversary Simulation for the North America region, strengthening our offensive cybersecurity capabilities and constant cyber attack subscription services.…
Retail breach

ANATOMY OF A BREACH: INSIDE THE MODERN RETAIL ATTACK

Retail breaches don’t start with ransomware. They start with people. From social engineering to persistent access, attackers exploit the unseen gaps in your defenses. Learn how…