CVE 2021 3156
Fri, Feb 5, 2021 | #writeup #tryhackme #sudo #buffer-overflow
sudo
is an ubiquitous utility that’s included in most if not all Unix- and Linux-based OSes.
It allows users to run programs with the security privileges of another user. In most cases sudo
comes into place when an unprivileged user wants to run commands with root privileges. So you can say that sudo
is a very powerful tool. Having this in mind it is even more frightening that this vulnerability has remained undiscovered for almost 10 years.
On 26th January Security Researchers from Qualys have reported a heap-based buffer overflow in sudo
. Successful exploitation of this vulnerability allows any unprivileged user to gain root privileges on the vulnerable host.
Exploit
Luckily a TryHackMe Machine already exists where the vulnerability can be exploited so lets dive in.
First of all there is a simple crash PoC to check whether the system is vulnerable.
We have successfully overwritten the heap buffer which caused the program to crash => vulnerable
Knowing that our target is vulnerable lets clone the exploit repository, compile and run it.
Further Research
What is sudoedit ?
It’s just a symlink to the sudo
binary but different flags are set if sudoedit is called. These flags combined with the -s flag are necessary to reach the vulnerable code block.
As we can see above in the crash test example the fundamental bug is that sudo
is not processing escaped characters correctly.
If a command-line argument ends with a single backslash character sudo
gets confused because it thinks that there has to be another character which in this case is the null terminator. So it escapes the null terminator and keeps processing things because it didn’t notice the null terminator which then leads to heap buffer overflow. To successfully exploit this vulnerability many tricky things need to be done which I haven’t digged into and probably don’t understand yet either.
0xAPPA from the future
One of my favorite security content creators has now investigated the vulnerability and tried to figure out how fuzzing could have been used to find the vulnerability. Highly recommend Liveoverflow.