关联漏洞
标题:
Sudo 缓冲区错误漏洞
(CVE-2021-3156)
描述:Sudo是一款使用于类Unix系统的,允许用户通过安全的方式使用特殊的权限执行命令的程序。 Sudo 1.9.5p2 之前版本存在缓冲区错误漏洞,攻击者可使用sudoedit -s和一个以单个反斜杠字符结束的命令行参数升级到root。
描述
Visualization, Fuzzing, Exploit and Patch of Baron Samedit Vulnerability
介绍
<div id="top"></div>
<!-- PROJECT LOGO -->
<br />
<div align="center">
<a href="https://github.com/FrancescoMarchiori/CVE-2021-3156">
<img src="https://i.postimg.cc/tRMqcJmw/sudo-logo.png" alt="Logo" width="150" height="150">
</a>
<h1 align="center">CVE-2021-3156</h1>
<p align="center">
Visualization, Fuzzing, Exploit and Patch of Baron Samedit Vulnerability
<br />
<a href="https://github.com/FrancescoMarchiori/CVE-2021-3156/blob/main/Report.pdf"><strong>See report »</strong></a>
<br />
<br />
<a href="https://github.com/FrancescoMarchiori">Francesco Marchiori</a>
·
<a>Alessandro Lotto</a>
</p>
</div>
<!-- TABLE OF CONTENTS -->
<details>
<summary>Table of Contents</summary>
<ol>
<li>
<a href="#introduction">Abstract</a>
</li>
<li>
<a href="#visualization">Visualization</a>
</li>
<li>
<a href="#fuzzing">Fuzzing</a>
</li>
<li>
<a href="#exploit">Exploit</a>
</li>
<li>
<a href="#patch">Patch</a>
</li>
</ol>
</details>
<div id="introduction"></div>
## 🧩 Abstract
Any Unix-based Operating System is equipped with the sudo command that allows for a temporary root privileges escalation for those users that are expected to do so. Sudo offers then a critical functionality that if abused may lead to the compromise of the security and reliability of the system itself. Because of its importance within the Operating System, sudo’s source code is subject to frequent testing and code reviews. These have led to discover a heap-based overflow vulnerability, named as CVE-2021-3156, that surprisingly has been hidden for almost 10 years. Neither fuzzing techniques, one of the most used techniques for bug and vulnerability discovery, allowed to spot out it before. In this paper, we analyze in detail the CVE-2021-3156 sudo vulnerability, starting from the buffer overflow vulnerability up to how it can be exploited in order to gain a root shell even being a non-privileged user or not being allowed to use the sudo command.
<div id="visualization"></div>
## 🖼️ Visualization
In the [`Visualization`](https://github.com/FrancescoMarchiori/CVE-2021-3156/tree/main/Visualization) directory there are a couple of script that we used to visualize how arguments are parsed with or without backslash characters and to analyze how environment variables affect the heap layout, in order to further understand the structure of the proposed exploit.
<div id="fuzzing"></div>
## 🔍 Fuzzing
In the [`Fuzzing`](https://github.com/FrancescoMarchiori/CVE-2021-3156/tree/main/Fuzzing) directory there are the files needed to perform fuzzing on the vulnerable version of sudo. It's also reported how to be able to fuzz and how to solve the problems that prevent [AFL](https://github.com/google/AFL) to work out-of-the-box, thus explaining how the vulnerability has been hidden for almost 10 years.
<div id="exploit"></div>
## ⚔️ Exploit
In the [`Exploit`](https://github.com/FrancescoMarchiori/CVE-2021-3156/tree/main/Exploit) directory there are the filed needed to perform the attack on another vulnerable version of sudo. We exploit memory population through environment variables to perform heap feng shui and overwrite the name of the `service_user` object, in order to execute our own code instead of loading a library.
<div id="patch"></div>
## 🛡️ Patch
In the [`Patch`](https://github.com/FrancescoMarchiori/CVE-2021-3156/tree/main/Patch) directory there is an [`overflow_simulation_patch.c`](https://github.com/FrancescoMarchiori/CVE-2021-3156/blob/main/Patch/overflow_simulation_patch.c) script that simulates the behaviour of the overflow and patches it with additional code that we wrote. Since developers at the Sudo project decided to fix the vulnerability flow instead of the code itself, we show a different approach and how it can be fixed with just a few lines of code.
<p align="right"><a href="#top">(back to top)</a></p>
文件快照
[4.0K] /data/pocs/7232fd9bd836a0a81ae60dad2975d72e3dae1607
├── [4.0K] Exploit
│ ├── [186K] exec.gif
│ ├── [1.1K] exploit.c
│ ├── [ 134] exploit.sh
│ ├── [4.0K] libnss_XXX
│ │ └── [ 464] XXX.c
│ ├── [ 140] Makefile
│ └── [1.1K] README.md
├── [4.0K] Fuzzing
│ ├── [2.2K] argv-fuzz-inl.h
│ ├── [ 786] Dockerfile
│ ├── [ 371] Makefile
│ ├── [5.2K] README.md
│ ├── [3.2M] sudo-1.8.31p2.tar.gz
│ └── [ 42K] sudo.c
├── [4.0K] Patch
│ ├── [1.2K] overflow_simulation_patch_2.c
│ ├── [1.3K] overflow_simulation_patch.c
│ └── [1.8K] README.md
├── [3.9K] README.md
├── [4.8M] Report.pdf
├── [ 64M] Slides.pdf
└── [4.0K] Visualization
├── [ 808] envp_simulation.c
├── [1.1K] overflow_simulation.c
├── [4.0K] Pics
│ ├── [ 82K] envp_simulation.png
│ └── [202K] overflow_simulation.png
└── [ 968] README.md
6 directories, 23 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。