漏洞彻底修复方法

在线升级
修复建议:CentOS用户官方源更新采用如下命令升级到安全版本或更高版本：

yum clean all && yum makecache
yum update polkit -y

[root@node01 <sub>]# yum update polkit -y
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
Resolving Dependencies
--> Running transaction check
---> Package polkit.x86_64 0:0.112-18.el7 will be updated
---> Package polkit.x86_64 0:0.112-26.el7_9.1 will be an update
--> Finished Dependency Resolution
 
Dependencies Resolved
 
===================================================================================================
 Package             Arch                Version                        Repository            Size
===================================================================================================
Updating:
 polkit              x86_64              0.112-26.el7_9.1               updates              170 k
 
Transaction Summary
===================================================================================================
Upgrade  1 Package
 
Total download size: 170 k
Downloading packages:
Delta RPMs disabled because /usr/bin/applydeltarpm not installed.
polkit-0.112-26.el7_9.1.x86_64.rpm                                          | 170 kB  00:00:00    
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Updating   : polkit-0.112-26.el7_9.1.x86_64                                                  1/2
  Cleanup    : polkit-0.112-18.el7.x86_64                                                      2/2
  Verifying  : polkit-0.112-26.el7_9.1.x86_64                                                  1/2
  Verifying  : polkit-0.112-18.el7.x86_64                                                      2/2
 
Updated:
  polkit.x86_64 0:0.112-26.el7_9.1                                                                
 
Complete!
[root@node01 </sub>]#
 
 
[root@node01 <sub>]# rpm -aq | grep polkit
polkit-pkla-compat-0.1-4.el7.x86_64
polkit-0.112-26.el7_9.1.x86_64
[root@node01 </sub>]#

验证结果
[lianglab@node01 tmp]$ ./cve-2021-4034-poc 
touch: cannot touch ‘GCONV_PATH=./pwnkit’: Permission denied
chmod: changing permissions of ‘GCONV_PATH=./pwnkit’: Operation not permitted
sh: pwnkit/gconv-modules: Permission denied
Segmentation fault (core dumped)
[lianglab@node01 tmp]$
-----------------------------------

离线升级

wget http://mirror.centos.org/centos/7/updates/x86_64/Packages/polkit-0.112-26.el7_9.1.x86_64.rpm
rpm -Uvh polkit-0.112-26.el7_9.1.x86_64.rpm
rpm -aq | grep polkit   #查看Polkit是否为安全版本
./cve-2021-4034-poc     #验证漏洞poc

[root@node03 src]# ls
cve-2021-4034-poc  polkit-0.112-26.el7_9.1.x86_64.rpm  sysinit.sh
[root@node03 src]# rpm -aq | grep polkit
polkit-pkla-compat-0.1-4.el7.x86_64
polkit-0.112-18.el7.x86_64
[root@node03 src]# rpm -Uvh  polkit-0.112-26.el7_9.1.x86_64.rpm
Preparing...                          ################################# [100%]
Updating / installing...
   1:polkit-0.112-26.el7_9.1          ################################# [ 50%]
Cleaning up / removing...
   2:polkit-0.112-18.el7              ################################# [100%]
[root@node03 src]# rpm -aq | grep polkit
polkit-pkla-compat-0.1-4.el7.x86_64
polkit-0.112-26.el7_9.1.x86_64
[root@node03 src]# su - lianglab
Last login: Thu Jan 27 17:50:22 CST 2022 on pts/0
[lianglab@node03 <sub>]$ ls
[lianglab@node03 </sub>]$ cd /tmp/
[lianglab@node03 tmp]$ ./cve-2021-4034-poc 
pkexec --version |
       --help |
       --disable-internal-agent |
       [--user username] PROGRAM [ARGUMENTS...]

See the pkexec manual page for more details.

Report bugs to: http://lists.freedesktop.org/mailman/listinfo/polkit-devel
polkit home page: <http://www.freedesktop.org/wiki/Software/polkit>
[lianglab@node03 tmp]$
-----------------------------------

漏洞复现POC–修复后

1、临时缓解措施，修改/usr/bin/pkexec后

[liangliang@node02 _{]$ ./cve-2021-4034-poc GLib: Cannot convert message: Could not open converter from “UTF-8” to “PWNKIT” pkexec must be setuid root [liangliang@node02} ]$ ll /usr/bin/pkexec
-rwxr-xr-x. 1 root root 23656 Oct 31 2018 /usr/bin/pkexec

2、安装官方提供的升级包
[root@node01 tmp]# ./cve-2021-4034-poc
pkexec –version |
–help |
–disable-internal-agent |
[–user username] PROGRAM [ARGUMENTS…]

See the pkexec manual page for more details.

Report bugs to: http://lists.freedesktop.org/mailman/listinfo/polkit-devel
polkit home page: http://www.freedesktop.org/wiki/Software/polkit
[root@node01 tmp]# rpm -aq | grep polkit
polkit-pkla-compat-0.1-4.el7.x86_64
polkit-0.112-26.el7_9.1.x86_64
[root@node01 tmp]# stat /usr/bin/pkexec
File: ‘/usr/bin/pkexec’
Size: 27672 Blocks: 56 IO Block: 4096 regular file
Device: 802h/2050d Inode: 201732651 Links: 1
Access: (4755/-rwsr-xr-x) Uid: ( 0/ root) Gid: ( 0/ root)
Access: 2022-01-27 17:38:54.182253858 +0800
Modify: 2022-01-26 03:42:49.000000000 +0800
Change: 2022-01-27 14:22:41.682719484 +0800
Birth: –
[root@node01 tmp]#

[lianglab@node01 tmp]$ ./cve-2021-4034-poc
touch: cannot touch ‘GCONV_PATH=./pwnkit’: Permission denied
chmod: changing permissions of ‘GCONV_PATH=./pwnkit’: Operation not permitted
sh: pwnkit/gconv-modules: Permission denied
Segmentation fault (core dumped)

[lianglab@node01 tmp]$