View profile

Weekly newsletter of Anant Shrivastava - Issue #1


Infrequent IT(sec) commentary from Anant

February 2 · Issue #1 · View online

This newsletter contains my musings around Information technology and mostly information security topics.

This is my first time writing a news letter so i will keep it brief, hoping to continue this going forward every week. This time around I am focusing on one major area sudo bug discovered by Qualys named “Baron Samedit”.
Sudo Bug aka Baron Samedit
So last week was spend a lot on the sudo bug and various exploit work that was going on around it. I will try to outline all of those here in one place.
All this started with Qualys Making a public disclosure about CVE-2021-3156.
The Qualys Research Team has discovered a critical vulnerability in #Sudo, which allows an unprivileged user to gain root privileges in its default configuration. #linux #unix #vulnerability
Sudo released a official statement along with its own set of details
Buffer overflow in command line unescaping
As soon as Details were published the race to create exploits was on at one side and the other side was the scrambling of defenders to patch things.
To detect this attack a simple one liner could be used.
sudoedit -s ‘' `perl -e 'print “A” x 65536’`
sudoedit core dump
sudoedit core dump
Patched Server: usage info
Patched Server: usage info
If this command results in a segmentation fault or a core dump then you are running a vulnerable version of sudo.
Various vendors issued specific Vendor advisories to cover this bug.
Red Hat Customer Portal - Access to 24x7 support and knowledge
CVE-2021-3156 | Ubuntu
While Distro’s were busy releasing fixes, defenders are worrying about detection and some public info I could find includes.
Detecting the Sudo Baron Samedit Vulnerability and Attack | Splunk
How to detect sudo's CVE-2021-3156 using Falco | Sysdig
Now lets look at the exploit development scenario’s. If we dissect the qualys blogpost they are talking about 3 specific attack scenarios that they tested in latest versions Debian 10, Ubuntu 20.04 and Fedora 33.
  1. struct sudo_hook_entry overwrite
  2. struct service_user overwrite
  3. def_timestampdir overwrite
Various entities are working on developing exploits for these three scenarios but some of them are doing it in public so let me list those here.
struct sudo_hook_entry overwrite
This is one of the most complicated exploitation path and hence very few are attempting to go this direction. I have so far found only lockedbyte have attempted and documented this attack. They have also added a fuzzer for finding specific overflow conditions for other OS where tests are not performed.
I were able in collaboration with @bl4sty to create a working Proof of Concept exploit for the new sudo CVE-2021-3156.
Tested just in Ubuntu 20.04.1 LTS, in other distros offsets may change. PoC available:
CVE-Exploits/CVE-2021-3156 at master · lockedbyte/CVE-Exploits · GitHub
struct service_user overwrite
In this method effectively you are able to rewrite parts of buffer which allows you to load your own arbitrary .so file and invoke commands from it.
This method is very much the cream of the writeup and one which is majorly being focused right now. A detailed writeup about the technique came out via Kamarunionen
Sudo Exploit Writeup | Kalmarunionen
And a bucket load of exploits are being written around this. the most versatile being the one from blasty in collaboration with lockedbyte
Last night @lockedbyte showed you how we managed to exploit sudo with a partial overwrite of a funcptr and some small bruteforce. Today.. we do it single-shot with some help of glibc/nss.
They ended up publishing the code on github for better visibility and collaboration.
GitHub - blasty/CVE-2021-3156
As of now this covers the most variety of exploitation. Ubuntu 18.04, 20.04, as well as Debian 10. Attempts to exploit RHEL and Debian 9 have failed so far, there is an ongoing issue around this and would probably get some updates soon.
Debian9 stretch · Issue #10 · blasty/CVE-2021-3156 · GitHub
Other notable attempts in this technique are listed here.
GitHub - Ruia-ruia/sudoHeapOverflow: After getting a crash such that rbx was mangled... I spent the weekend adjusting and tweaking the malicious inputs to get it to work. It was honestly just trial n error so nothing clever on my part. I hope someone smarter makes an environment scanner to be able to automatically adjust the configurable parameters in a deterministic way.
Rajvardhan Agarwal
Added a one shot exploit for this. Not sure why it wasn't working on my prior ubuntu 20.04 install (still doesn't). Had to do another fresh install in a vm. Tested on both ubuntu 18.04 and 20.04.
def_timestampdir overwrite
This is the most ugly scenario in my opinion as in this scenario they have a situation where you can overwrite a specific root owned file with race condition. Exploits so far are simply overwriting /etc/passwd with either replacing entire content to a single hard coded user with a known password or simply creating a copy of the old /etc/passwd appending the new one and then overwriting this full file. In any case /etc/passwd will not be what it is once exploit is run. (more garbage will be added both above and below the entries).
Following exploit PoC’s are looking at this right now.
GitHub - stong/CVE-2021-3156: PoC for CVE-2021-3156 (sudo heap overflow)
exploits/CVE-2021-3156 at master · r4j0x00/exploits · GitHub
While all this is going one some other interesting stuff people found while looking around this bug are listed below:
One other aspect to mention: if you're not using a #grsecurity kernel (with GRKERNSEC_LINK enabled), make sure the kernel version you're using has /proc/sys/fs/protected_hardlinks = 1. Without that, if /usr/bin is on the same filesystem as a location unpriv users can write to...
sudoedit symlink fix for CVE-2021-23240 introduced new vulnerability – Rich Mirch
oss-sec: sudo: Ineffective NO_ROOT_MAILER and Baron Samedit
Sudo Heap Overflow CVE-2021-3156 | A Pentesting Company | Fluid Attacks
Hacker Fantastic 📡
CVE-2021-3156 also impacts @apple MacOS Big Sur (unpatched at present), you can enable exploitation of the issue by symlinking sudo to sudoedit and then triggering the heap overflow to escalate one's privileges to 1337 uid=0. Fun for @p0sixninja
That brings me to the end of the sudo saga. The week was a lot focused on the sudo bug and this first news letter is already way too long so i will try to keep things short and would try to add more things in next news letter.
Please do subscribe if you feel the information was useful and see you next monday.
Did you enjoy this issue?
If you don't want these updates anymore, please unsubscribe here.
If you were forwarded this newsletter and you like it, you can subscribe here.
Powered by Revue
Bhopal, India