Weekly newsletter of Anant Shrivastava - Issue #1

This is my first time writing a news letter so i will keep it brief, hoping to continue this going forward every week. This time around I am focusing on one major area sudo bug discovered by Qualys named “Baron Samedit”.

So last week was spend a lot on the sudo bug and various exploit work that was going on around it. I will try to outline all of those here in one place.

All this started with Qualys Making a public disclosure about CVE-2021-3156.

Sudo released a official statement along with its own set of details

As soon as Details were published the race to create exploits was on at one side and the other side was the scrambling of defenders to patch things.

To detect this attack a simple one liner could be used.

sudoedit -s ‘' `perl -e 'print “A” x 65536’`

If this command results in a segmentation fault or a core dump then you are running a vulnerable version of sudo.

Various vendors issued specific Vendor advisories to cover this bug.

While Distro’s were busy releasing fixes, defenders are worrying about detection and some public info I could find includes.

Now lets look at the exploit development scenario’s. If we dissect the qualys blogpost they are talking about 3 specific attack scenarios that they tested in latest versions Debian 10, Ubuntu 20.04 and Fedora 33.

Various entities are working on developing exploits for these three scenarios but some of them are doing it in public so let me list those here.

This is one of the most complicated exploitation path and hence very few are attempting to go this direction. I have so far found only lockedbyte have attempted and documented this attack. They have also added a fuzzer for finding specific overflow conditions for other OS where tests are not performed.

In this method effectively you are able to rewrite parts of buffer which allows you to load your own arbitrary .so file and invoke commands from it.

This method is very much the cream of the writeup and one which is majorly being focused right now. A detailed writeup about the technique came out via Kamarunionen

And a bucket load of exploits are being written around this. the most versatile being the one from blasty in collaboration with lockedbyte

They ended up publishing the code on github for better visibility and collaboration.

As of now this covers the most variety of exploitation. Ubuntu 18.04, 20.04, as well as Debian 10. Attempts to exploit RHEL and Debian 9 have failed so far, there is an ongoing issue around this and would probably get some updates soon.

Other notable attempts in this technique are listed here.

This is the most ugly scenario in my opinion as in this scenario they have a situation where you can overwrite a specific root owned file with race condition. Exploits so far are simply overwriting /etc/passwd with either replacing entire content to a single hard coded user with a known password or simply creating a copy of the old /etc/passwd appending the new one and then overwriting this full file. In any case /etc/passwd will not be what it is once exploit is run. (more garbage will be added both above and below the entries).

Following exploit PoC’s are looking at this right now.

While all this is going one some other interesting stuff people found while looking around this bug are listed below:

That brings me to the end of the sudo saga. The week was a lot focused on the sudo bug and this first news letter is already way too long so i will try to keep things short and would try to add more things in next news letter.

Please do subscribe if you feel the information was useful and see you next monday.