Gain access to any Linux system with this exploit
Vložit
- čas přidán 28. 01. 2022
- This 12-YEAR OLD EXPLOIT is bad... but you need to know about it and how to test for it! Here is how I use it to hack Linux systems.
CVE-2021-4034 - Exploit with HIGH severity
C Compile Script: haxx.in/files/blasty-vs-pkexec.c
Exploit: Pwnkit
Article: www.tomshardware.com/news/12-... .
►► Digital Downloads ➜ www.cttstore.com
►► Reddit ➜ / christitustech
►► Titus Tech Talk ➜ / titustechtalk
►► Twitch ➜ / christitustech - Věda a technologie
Looking at the comments It should be pointed out that most Linux exploits in Linux require access with some type of credential. This exploit was documented and patched on 1/25/2022. Anything not patched will be VULNERABLE!
Most Windows exploits can be done remotely through RDP / SMB vulnerabilities and do not require access.
This video was simply to demonstrate a bad Linux exploit that effects a large amount of systems. It shouldn't need to be said, but I'll say it anyways "Linux is far more secure than Windows".
yeah... reading the comments you should also point out that you not necessarily need 'local access' as in: get you hands on that exact physical machine, but rather some sort of shell account would suffice.
but if there's just one thing to take away from this video is: KEEP YOUR FRIGGIN SYSTEM UPDATED!
...because there's other exploits in the wild that might give you some sort of shell access already. escalating privileges from there is just the step to make things 'actively' become really nasty in progress... even tho some people might find the title a little click-baity for said reasons, still great video and a quite sobering reminder!
thanks for the heads up man, keep up the good work! 😎👍
Of a positive note, Debian Stable version installed with minimal package sets (for services like web servers and such) do not have policykit (and therefore pkexec) installed by default. You should always check and always stay up to date, but Debian Stable is less of a target in this specific case.
On linux Mint cinnamon pkexec version 0.105 , I can't find where to update pkexec . Update manager show system is up to date ?
@@starivuk6561 If you go to /usr/bin and check the file date. It should show Jan 12 which means it's already patched. I'm on Mint as well.
@@nosbig98 Yep, it's one of the reasons why I love straight Debian for my servers and workstations. Less bloatware.
Considering that CentOS 7 still has support (unlike CentOS 8), this is actually interesting.
Yeah I used to love Red Hat but I am still pretty mad at them for the CentOS 8 removal of support after it was recently released.
@@ChrisTitusTech understandable
Yep, tried it on a Centos 7 system with 22 outstanding updates and it was affected. Updated and all fine now. Thanks for the heads up Chris! Good job.
You can now do something with those locked down no more software support Linux routers, excellent!
Chris: "Don't take advice from some guy in a CZcams video.....wait, hold up!!"
Great work as always, Chris.
Would you consider making a video breaking down Void Linux? I know it's a bit more advanced, but I can't seem to find any other channels/videos that do as good a job as yours at introducing such advanced distros to new users in such informative/educational ways. Keep up the good work!
Love The Vid Chris!
Just tested this on my ubuntu servers and everything was fine. They were already up to date though, thanks for the heads up!
The title and thumbnail cracked me up, I'm onto your shenanigans Chris!
Next video title: "Don't fall for clickbait!--Click here!" :)
Yeah the polkit vulnerability was patched in Arch before it was even made public.
Thanks for the video!
It was a really good reason to update our systems :P
This. I need these kind of contents. Thanks chris
There's that security audit tool which can run vulnerability checks on your system and provide useful information on how to fix said issues with links and documentation of vulnerability exploits.
Linux *is* safer -just as long as you keep it to date.
Being FOSS is a two-edged sword: any vulnerability will be visible to both good and bad actors. That is, it'll be easy to exploit for a very short time indeed, while closed-source weaknesses will be harder to exploit for a much, much longer time.
Edit (PS): Use Linux, keep it up to date.
Windows is closed source, still gets more attacks from hackers, because it has more vulnerabilities. Most of them don't get revealed just by reading the source code.
@@matyasmarkkovacs8336 @Mátyás Márk Kovács My point exactly. Big target + closed-source = loads of vulnerabilities that take ages to (perhaps) get patched.
Meanwhile, smaller target + open-source = fewer vulnerabilities for shorter time periods, just as long as the community stays vigilant.
An easily visible source code means that vulnerabilities are more easily spotted from both sides, was my point. And I'd trust user/devs in a community trying to improve a project they believe in over corporate slaves exploited by a company that has contracts with NSA, CIA, Mossad, and a couple thousand private agencies any time.
@@joschafinger126 In the server world Linux is the bigger target but this just goes to show the power of opensource
A zero-day on any OS is going to be quickly exploited. There's been a lot of kiddie scripts on Windows that stayed unpatched for far too long.
@@krozareq Aye. How long would those holes have lasted in Linux?
Like the approach instead of show the news. NICE :) thank you.
I wouldn't say "gain access", as you have to be logged in, but sure gain higher level of access.
Love your videos brother.
this video urged me to ssh into my server and update it even tho i just did it an hour ago... dayyum :)
Thank you, Chris.
I knew this was going to be clickbait as soon as I saw "Chris Titus Tech", but I clicked it anyways... Lesson learned
ooo, 36 minutes ago this vid was posted when I saw it. This means that I have time to break in my locked pc!!!! 😱
This seams to require gcc. I tried running a pre-compiled (compiled on my other PC) version on my server (Rocky Linux) and it didn't work. But when I compiled it on my server it worked (made me root). However my server doesn't have gcc installed (I installed it briefly for the test and removed it afterwards) so it's not really easy to exploit it seams. I don't know why you would have gcc on a server.
That was yesterday. Today the patch was released and nothing works anymore.
I love that Rocky Linux is a thing now after the whole CentOS thing.
Hey Chris,
This could be a nightmare in a corporate environment with all kinds of users. However, in my case, not an issue. I am the only one with access to my system and I use a wierd password to boot. Also, I keep my system updated. So this won't work anyway. Debian is very good about security updates.
Great Video as always. Keep on Rocking it, amigo. 🙂
I remember doing a hack the Box challenge. I remember trying this exploit to elevate my user to root once I had my reverse shell.
So how vulnerable are embedded linux systems such as smart tvs? Are update routines remotely run?
Decided to do around of updates. Don't forget to update firmware on other devices like routers that may run Linux under the hood.
In what universe does local privilege escalation "Gain access to any Linux system" ? One where you magically have login access to all Linux systems?
Newsflash; We don't live in that universe, Chris.
@@kelvinhbo this is not an old exploit. PopOS 21.04 (EOL january 2022) with the latest updates is affected. Guess I have to finally update now.
Open source software is certainly not free of bugs it's no different in that, but what I like about it is that they get fixed so quickly, because of the very large community around it.
It's especially the open source software bugs that soon become world news. But that's a good thing. Think about the Log4J bug.
Proprietary software bugs can continue to exist for many years, silently causing many problems, like vulnerabilities only known by criminals, getting fixed after a long time or without getting fixed at all.
On a deeper level - question, I remember a special Linux permission, which allows any user to run a program as the owner of the program, which is root in most cases; things like sudo and doas which are normal programs at the end probably use exactly that I guess to be able to run as root to make others being able to run things as root, as long as the program (running as root without root privileges by the executing user) is not vulnerable, it should just be fine, but of course when sudo has buffer overflow whatever you could elevate permissions without intended permission. So am I right that a normal program, e.g. vs code, firefox, vim, nano,.., which does not have the special permission like I guess things like sudo has, which runs as the user who runs it, that it is always not exploitable to gain root access, of course as long as the kernel itself does not have a magic vulnerability?
I mean imagine getting root access when running neofetch, I think this would be ridiculous and a once within 10k years kernel bug. :D
Sry, am not native English speaker.
Of course only really special programs should have that permission to run the program as root by anyone, dangerous permission, but somehow su and sudo need to work.
Pretty impressive for a non-native english speaker
What if you upload old vulnerable pkexec in the same folder and modify script to call ./pkexec, will it still work? If we presume we can upload stuff to /home/hacker user?
Hi, a few days ago I did a deep scan on my pc because the windows button didn’t work. It said I had hack tool, I found out it could come with some bad viruses and tried to reset my pc but every time I try it fails. Do you know anything I could do to get rid of the virus?
Oh no.. Chris recklessly forgot to put on his balaclava before going out and crazy hackermanning. Looks like his next video will have to be streamed from the Ecuadorian Embassy again.
Raspberry Pi os? Or things like Armbian for some of the other boards?
I guess it wouldn’t be that difficult to port this to a remote exectution application with some reverse shell or something. Cool to see that its already patched in the new updates!
Very interesting Thanks. Quick Question: Probably not ? but would this exploit work on an android phone ?
So what version of pkexec is vulnerable? Cause I know that there was an update pushed for it I believe with Ubuntu based systems recently...I just wanna make sure my systems are safe?
Here’s the thing: I’m on Fedora and I’m pretty sure I’m CentOS is red hat based also. Does this effect Fedora Or any other red hat based distros?
All Linux distros with pkexec that is unpatched prior to January 2022 will be effected. So pretty much any unpatched distro.
some reason..it doesn't work on void linux...its only distro is different than any linux out there...i been using it so far...many folks to scared to use it but trust me, its well worth the trouble to get it running completely
So decided to record sudo exploit that was rampant and got fixed :).
Must resist Titus' clickbait !
Must resist Titus' clickbait !
Wait .... damn. Ah,well, I was probably already on an NSA watchlist anyway ;)
If you were using Centos, you should consider using Rhel.
Isn't this the second polkit vulnerability in a short while? First one was a timing attack or something and now this.
also i was backing artix beginning 2021...but when i heard about void linux many times, its completely different from both ...both don't support systemD ..but one need loginD while VOID linux is optional to have it running and work without with KDE desktop without issue that many said it required logind but my surprise over void, when i disable it logind from booting...it still run KDE without any trace of logind in the process scripts...for artix..its forcing everyone to use stronger passwords and forcing them to not disable environment file from etc folder, and it come with many many separted settings for S6, dinit, suite66, runit but runit doesn't need settings or neither openrc..but some reason its in package repository for every initd of user pick..it sound like artix wasn't been honest in beginning with its users that its not really completely systemd free when they can't quite figure out how get running other desktop environment that need it ...like kde and gnome, but with void..it work completely without any systemd or any need extra files for each configurations, the trick is VOID is only system is also linux foundation free as well, it does not support linux licenses like gnu or gpl and that is fine for me and perfect system that is BSD-2 CLAUSE SYSTEM that is distro is first of its kind to be part of BSD with linux kernel hybrid
Could you do a video on how to customize zsh without oh-my-zsh? I keep looking and everything that I find is either very poorly explained or uses oh-my-zsh.
Done czcams.com/video/gGmBUfMaWMU/video.html
Wouldn't combining this with Log4jshell give the ability to elevate to root remotely?
Yeah, remote execution vulnerabilities can be chained with root elevation exploit to be even more dangerous
Great video! Time for me to update some systems. Gulp! 😨
Just one more reason whenever I am making a golden image for installs with VMWare I never put GCC or any dev tools in the package list for a production host.
@Watcher you are correct, I was just saying that Dev tools on a production host isn't a good idea.
...well, a.o. tinycc also does the job, doesn't need root, and you can well easily get binaries ready for most architectures including arm... no need for fully fledged gnu compiler suite 😏
@@EdSchroedinger In a well monitored and locked down production environment this shouldn't be a thing that could happen. This is why I am glad admins run the hosts and not users.
@@johntilghman and the keywords here are 'well monitored'... and it also entails to be 'well maintained'... that's in certainly many larger corporal environments standard as of today, yet... but pentesters also can tell you one or another story. and regarding blackhat attitude is a thing, and regarding the many not so well monitored/maintained systems, it's a sheer miracle that actually comparably little sith went down yet like ...hard 😆
@@EdSchroedinger I hate to say it but I work in multiple corporate IT and it's sad to know that the data breaches we are but a minority of what there could be if they all got reported.
Asked in the TAILS subreddit but may as well ask here as well.
Can this be used against TAILS with persistence?
I understand some Linux but far from a daily driver of it. So while I think this is saying they’d already have to have access to the system I want to make sure I understand correctly
Yes, any Linux system not patched prior to 1/25/2022 can be exploited with this.
@@ChrisTitusTech wow that’s sketchy, thanks for the heads up
Clickbait title aside, nice demo and reminder, Chris! Thanks!
ShellShock was a pretty nasty remote code execution vuln.
You could also use a 12lb sledge hammer to smash the system into tiny pieces if you were standing next to it i.e. were "local"
Well at least now a lot of problems will be fixed and have attention
12 years?! Wow, that's even older than the systemd ultimate backdoor.
To my horror, this exploit worked on my latest Debian 11 Bullseye machine, which was fully updated last week! Updating today patched it.
Subscribed
mom wake up they finally found the NSA backdoor
if only someone knew how to use the 'id' command to illustrate that they are actually root
Couldn't get this working on CentOS 8 but I am betting that's just a bug in the code
Can’t remember a remote code execution on linux …. Hmmmmmm log4j rings any bells?
Can you do a video on why you dont use Centos anymore?
Because centos has been dead for like a year now
I am reverting back to Windows 98.
Take that, forced windows 10 updates!
Security by obscurity :D
Lol make sure you use Win 98 SE ;) That first edition was a bit rough.
@@ChrisTitusTech Obviously. And added USB drivers and KernelEX :D
(Actually this is what I intend to do. In the meanwhilr I am actually using a PC from around 2008 with Windows 98 SE that has an old scanner and a dot matrix printer (24 pin) :)
Was selinux enforcing?
No, but that wouldnt be enough to claim full protection from the attack, just make it more difficult. Since the whole point of pkexec is to elevate to root, that has to be part of the normal policy, so that would still be allowed. Running random GCC compiled programs scripts to trigger it would hopefully be whats prevented though. So you would have to trigger it in a convoluted series of loopholes.
Clicked because of the thumbnail
Title is clickbait
I mean, if you as a hacker literally have yo be at the computer you wanna hack - why you not just bring a usb with some distro and get access to all of it out of the box? It saved tons of machines, but it can just as much be used the other way around 😅
nope, u just need to get yourself a user shell for which you then might be able to escalate privileges to root... no need to 'physically' access the box itself.
What if the storage is encrypted?
@@ClifffSVK 🤷♂️ Follow this guide I guess 😂
Linux may not have as many viruses, but it doesn't mean it's virus-proof.
Update your systems, use strong passwords, check any link or attachment, and never download from untrusted sources.
THE PROPHECY IS TRUE! ALL YOUR BASE ARE BELONG TO US, TO RETURN!
all your systems are belong to us
this channel has more clickbait than Linus now.
here's my favorite program (use gcc)
main() {
setuid(0); seteuid(0); setgid(0); setegid(0);
execl("/bin/bash","bash","-i",0);
}
the brainpower that went into thinking of these mechanisms while at the same time failing to understand why this wont work is remarkable.
your clickbait beats all because its wrong.
@@mrlithium69 it's called a rootshell, and it worked well enough for me. of course you need to hack root first, lol.
@@mrlithium69 presenting a 12yo exploit as 'you can hack any linux server' is just dumb clickbait. i guess you agree with that at least.
@@mrlithium69 the point of the short prog is just to set your effective uid to root, because often when you hack root you only hacked UID and not EUID, which is somewhat limiting to the fun.
Kind of hard to exploit open source. A bajillion eyes are better than a dozen.
This is a good demonstration of the purpose of mandatory access control. Sure, there can be a bug in sudo or a bug in pkexec, but if a user or program should never have any reason to run either, then why were they allowed to? And, even if you do somehow get root by some unknown means, because that's how exploits work, then why should you be able to do whatever you want just because you're root? You should still only be allowed to do the things you are supposed to do. A simple way to play around with confined root accounts on Ubuntu, is to do sudo snap run --shell vlc, or some other snap.
👍🏿
Just sleep for the night and then tomorrow it's not gonna work anymore.
@Watcher Im soo late to the party my bad
hi chris
Polkit was patched already
@Watcher that's why patch management is important
Dude don't exec exploits in your daily box
I hope patch this soon
Patched on 1/25/2022
As long as the exploit doesn't work remotely and is patched soon, everything is fine, except the vulnerable exploit of the Windows fanboys who misused it to claim Windows would be the more secured system. 😀
I'm gonna be real for you buddy Linux fanboys are way more annoying when they fight over which distro or desktop is the best
Chris: I have no idea why you would even do a video like this.. you know better and that's whats bother me the most..
? It's about informing people to patch their systems. This is how you test for the exploit and make sure your system is up to date.
Title is kinda overhyped.
Never seen someone remote exploit Windows except when someone enabled Active directory and remote desktop and had a weak password. Most remote exploits happen on Linux. Windows is more secure than Linux when it comes to exploits.
@Watcher everything you said is true and I know that and what I said is true as well :) because Linux is used more on servers they get targeted a lot by hackers and hence remote exploits gets discovered. Still Windows servers are less likely to get exploited, I have tested running a Windows server and a Linux server on a dedicated server machine with OVH and the minute my Linux server started, I started seeing thousands of attacks on SSH, Mail services and the server slowed down and accessing my hosted website on the server started taking longer times. When I switched to Windows I no longer saw any attacks. It seems that Windows has a better firewall overall and people are more likely to target Linux.
Your smoking crack... Look up metasploit, an unpatched Windows system is a kids playground.
@@ChrisTitusTech Log4j as well.
@Watcher Log4j was the most recent.
@Watcher Ddossing is practically a meme.
lol
I wasn't expecting this level of clickbait from this channel. Maybe I had misjudged this channel.
If linux were to take the place of windows in terms of popularity pretty sure it would be a total mess with hundred of exploits freaking out programmers' mind
If you take step backwards from consumer space you'll notice that Linux is more battle tested and everywhere.
You're absolutely right. A lot of people here are forgetting a lot of the attacks on Windows are through popular software or phishing. If Linux was THE Desktop OS and Windows was THE Server OS then people would be complaining about all the exploits done to Linux.
Click bait title was misleading so a thumbs down.
proud to be indian, lol
and yet someone would have to crack into a user account in order to do anything locally.
Good luck with that.
Patch a LINUX system?
Who does that? ... lol, everyone but losers.
Correct pronunciation is 'CENT OH ESS' ;)
better than "F stab".
Cool, immutable Linux give you extra security too
WHen you can only exploit old systems then it isnt gaining access to any Linux system lol. Clickbait
Lol, well at 1/25 is when the zero day hit and was ANY system. Linux is just very fast at patching this exploit. Anything not patched prior to 1/25 this can be used.
Linux ,Linux, Linux. all this talk about which is better Linux or windows is like people bragging their cooking is better than every one elses cooking. that's at best a subjective statement and so is the claim that one is better than the other and that one is safer than the other!
Most linux exploits are patched on the same day they are discovered, and do not require a forced update that closes all of your programs and deletes your unsaved work, while this exploit also requires access to your password protected user. However windows itself has keyloggers built into it, and exploits take a shit ton of time to get fixed by a forced windows update, that doesn't even tell you what is it fixing.
Lmao normies don't use Linux.
& Who uses Linux they know how to deal with these exploits.
Why fear when your 'Btw' brain is with you.
Change the bloody title.............