Now lets look at the exploit development scenario’s. If we dissect the qualys blogpost they are talking about 3 specific attack scenarios that they tested in latest versions Debian 10, Ubuntu 20.04 and Fedora 33.
- struct sudo_hook_entry overwrite
- struct service_user overwrite
- def_timestampdir overwrite
Various entities are working on developing exploits for these three scenarios but some of them are doing it in public so let me list those here.
struct sudo_hook_entry overwrite
This is one of the most complicated exploitation path and hence very few are attempting to go this direction. I have so far found only lockedbyte have attempted and documented this attack. They have also added a fuzzer for finding specific overflow conditions for other OS where tests are not performed.