cve-2021-3156's People
Forkers
zu1kbackup funnywolf askyeye caijisecurity 9ee1 shantanu561993 ctfpwner rc-chuah raynersec knightmare2600 dzzc stkeeper bannermanhz kennbr34 casping timb-machine-mirrors yq9721 superuser5 gavz reverse-ex rajivraj freeide thomas1991xx wereii d-rn fa1c0n1 warren-jace tuotujingshui ibndias fidicy xiadr laozm zaijianbch xdreamseeker c0de3 nadoneves alex0young sec-u mrjesen bigbrobro crackercat coffeehb fengchenzxc nhas aftern00n netzeng astring0 m4d3bug traceur irony0egoist a991e ham12 banishdream windows1988 vv4r1ock cpsword rwincey mvhz81 derekselander scramblr superhero1 zoerab lanjianchun skysliently m0r41 nickname-plus chivrs mocusez imsebao lxyd001 nexply 666asd r4b3rt ajaxdemon dskho lemonlyan one9t-xc githubsectest dbazhihui chenpengxiao mananchawla2005 kre80r greenknot 0x3n16m4 iamlupo njahrckstr assassinukg dhay3 cs4745 helloexp dumdumgoose arduino3128 imjdl qiyeboy gml-sec v-env narayanr7 dothanthitiendiettiende damingshidashi ymjiecve-2021-3156's Issues
Centos 6.10 version is not adapted
Hi
Could you give the method for the Centos 6.10 target? The latest sudo version is 1.8.6p3-29.el6 on Centos6
Hope for you reply! Thank you very much!
Suggestion on your new CVE-2021-3156 OS format
Hey,
First of all thx for your hard work! :D
I wonder if you could add a option ./sudo-hax-me-a-sandwich -b to bruteforce specific ranges from:
.smash_len_a = 56,
.smash_len_b = 54,
.null_stomp_len = 63,
.lc_all_len = 212
This way it becomes eazier to find different offsets for different os/lib versions.
After you could ask the user to send the details to this github page with os and lib information to give it more stability
Exploited successfully on Ubuntu 18.04, libc 2.27, sudo 1.8.21p2
Exploited successfully on Ubuntu 18.04, libc 2.27, sudo 1.8.21p2, thx!
Brute script without GNU Parallel
I'm attempting to get this exploit working on MacOS Catalina, but I'm running into the issue of not having GNU Parallel. I was wondering what changes I could make to the brute.sh script, or if there's known values for MacOS Catalina already
[request] Suse linux 12 or 15
Hi
is there anyway you can make this work for suse
thanks
Doesn't work on mac...
I tried different parameters, doesn't help
Debian9 stretch
Hi, testing in my LAB with a debian9 stretch, the bruteforce seems not working correctly
Sudo version 1.8.19p1
Sudoers policy plugin version 1.8.19p1
Sudoers file grammar version 45
Sudoers I/O plugin version 1.8.19p1
libc version 2.24-11+deb9u4
Tried with "brute.sh 90 120 50 70 150 300" and also other range, without success.
Does anybody is able to make this working for debian9?
Thanks a lot.
more targets
Do you mind sharing your approach to find the target? Or let me know how do you set the env with all the multiple backslashes before calling sudoedit? I understand the exploit, but I don't know how to set the env for multiple \
(I mean from C yes, but for manual gdb invocation not really). Thank you.
Move from tcache to fastbins abuse
Regarding the heap grooming, is there any chance to move from tcache to fastbins abuse?
Unfortunately too many OS are equipped with glibc < 2.26...so we won't able to leverage this exploit on them.
Thanks in advance and congrats for this amazing exploit!
Ubuntu 16.04 GLIBC 2.23
Hello blasty
I'm trying to make the poc work on Ubuntu 16.04 but..
first of all the nss_load_library technique doesn't work -> turns out sudoedit never tried to load any systemd.so libraries
so this made the code unusable and I'm now trying to make it work by process_getenv method.
All of the techniques used to exploit the heap overflow relied on the fact that tcache was enabled and this made early heap allocation very easy to occur, and i think this is because the tcache bin range is too wide 0x20-0x408.
Before <glibc 2.31, Tcache wasn't implemented yet.... so the heap allocation became a problem (correct me if i'm wrong) as i couldn't allocate any chunk before the (sudo_hook_entry* struct).
Do you have any idea on how to make an early allocation with fastbins? i tried to make the LC env values as small to fit into Fastbins... but everytime i break at the set_cmnd code of reading args i never saw any free [fast]/bin before the target struct...
Also i wanted to say that using pwndbg There are no free chunks containing My LC values at all,
On the contrary Ubuntu 20.04 using your exploit i saw free chunks containing the LC environments.
PS: i used the fuzzer edited by you in lockedbyte repo but i know it relies on RIP to search for exploits. but there was no heap free chunks before the struct address in the first place... and the sanity checks of free/malloc are in the way too.
If we manage to make the poc work with Ubuntu glibc version <2.31 i think all distros with old versions too will be easy to exploit
I just want the approach and i will gladly put time to try it./ or them
Thanks for your time.
Exploit fails on Debian cloud image
Hi,
Thanks for this really convenient exploit. I was able to get it working on my Debian 10 and Ubuntu 20.04 machines.
However, I noticed it failed on one of my Debian Cloud (OpenStack) virtual machines. The VM in question is running the linux-image-4.19.0-13-cloud-amd64 kernel, which is used by many cloud providers.
When I execute sudo-hax-me-a-sandwich 1
on this system, it prompts for a password, even though the user account has no sudo access and was created using --disabled-password
(it has no password associated with it):
usernopass@debian10-2:~/CVE-2021-3156$ uname -a
Linux debian10-2 4.19.0-13-cloud-amd64 #1 SMP Debian 4.19.160-2 (2020-11-28) x86_64 GNU/Linux
usernopass@debian10-2:~/CVE-2021-3156$ apt policy sudo
sudo:
Installed: 1.8.27-1+deb10u2
Candidate: 1.8.27-1+deb10u3
Version table:
1.8.27-1+deb10u3 500
500 http://security.debian.org/debian-security buster/updates/main amd64 Packages
*** 1.8.27-1+deb10u2 500
500 http://deb.debian.org/debian buster/main amd64 Packages
100 /var/lib/dpkg/status
usernopass@debian10-2:~/CVE-2021-3156$ ./sudo-hax-me-a-sandwich 1
** CVE-2021-3156 PoC by blasty <[email protected]>
using target: 'Debian 10.0 (Buster) - sudo 1.8.27, libc-2.28'
** pray for your rootshell.. **
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.
[sudo] password for usernopass:
Sorry, try again.
[sudo] password for usernopass:
sudoedit: 1 incorrect password attempt
Running the exploit from a user that does have a password also causes the prompt. When I enter the password, the message "userwithpass is not in the sudoers file. This incident will be reported." is returned. And I made sure the installed version of sudo is vulnerable; sudoedit -s '\' $(perl -e 'print "A" x 65536')
causes a crash.
PoC not working on a vulnerable Debian 10
I'm trying to make the PoC work on a Debian 10 machine. The sudo version is the vulnerable one, as you can see on the screenshot below. But when running the PoC, it doesn't work and ask me my password to use sudo, just as if it was not vulnerable. Any idea how this could happen? I don't understand why the PoC don't work while the try with a bunch of A and the backslash works fine.
Not working on my focal
Hello,
Tested on my fresh install of focal.
user@ubuntu20:~/TEST/CVE-2021-3156$ ldd --version
ldd (Ubuntu GLIBC 2.31-0ubuntu9) 2.31
Copyright (C) 2020 Free Software Foundation, Inc.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Written by Roland McGrath and Ulrich Drepper.
user@ubuntu20:/TEST/CVE-2021-3156$ uname -a20.04.1-Ubuntu SMP Mon Jan 18 17:52:23 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
Linux ubuntu20 5.8.0-41-generic #46
user@ubuntu20:/TEST/CVE-2021-3156$ ls/TEST/CVE-2021-3156$ ./sudo-hax-me-a-sandwich 0
hax.c lib.c libnss_X Makefile README.md sudo-hax-me-a-sandwich
user@ubuntu20:
** CVE-2021-3156 PoC by blasty [email protected]
using target: 'Ubuntu 20.04.1 (Focal Fossa) - sudo 1.8.31, libc-2.31'
** pray for your rootshell.. **
free(): invalid pointer
Aborted (core dumped)
user@ubuntu20:~/TEST/CVE-2021-3156$ cat /etc/issue
Ubuntu 20.04.1 LTS \n \l
user@ubuntu20:~/TEST/CVE-2021-3156$ /usr/bin/sudo --version
Sudo version 1.8.31
Sudoers policy plugin version 1.8.31
Sudoers file grammar version 46
Sudoers I/O plugin version 1.8.31
I've tested your fuzz2.py but I'not able to crash in process_hooks_getenv() or in nss_load_library()...
Only found Interesting crash in set_cmnd()...
writeup explaining alternative technique for older glibc
wen i type ./hax.c my machine does not root all servers on subnet
this exploit is broken plz fix asap
RHEL
RHEL support pls
cat /proc/version
Linux version 2.6.32-696.el6.x86_64 ([email protected]) (gcc version 4.4.7 20120313 (Red Hat 4.4.7-18) (GCC) ) #1 SMP Tue Feb 21 00:53:17 EST 2017
you can get ISO here
https://archive.org/details/rhel-server-6.9-x86_64-dvd
must compile with flag -std=c99
errors:
..snipp..
7f2a8cfe9000-7f2a8d030000 r-xp 00000000 08:03 1053874 /usr/lib64/libssl3.so
7f2a8d030000-7f2a8d230000 ---p 00047000 08:03 1053874 /usr/lib64/libssl3.so
7f2a8d230000-7f2a8d234000 r--p 00047000 08:03 1053874 /usr/lib64/libssl3.so
7f2a8d234000-7f2a8d235000 rw-p 0004b000 08:03 1053874 /usr/lib64/libssl3.so
7f2a8d235000-7f2a8d236000 rw-p 00000000 00:00 0
7f2a8d236000-7f2a8d24f000 r-xp 00000000 08:03 1050994 /usr/lib64/libsasl2.so.2.0.23
7f2a8d24f000-7f2a8d44e000 ---p 00019000 08:03 1050994 /usr/lib64/libsasl2.so.2.0.23
7f2a8d44e000-7f2a8d44f000 r--p 00018000 08:03 1050994 /usr/lib64/libsasl2.so.2.0.23
7f2a8d44f000-7f2a8d450000 rw-p 00019000 08:03 1050994 /usr/lib64/libsasl2.so.2.0.23
7f2a8d450000-7f2a8d466000 r-xp 00000000 08:03 655402 /lib64/libresolv-2.12.so
7f2a8d466000-7f2a8d666000 ---p 00016000 08:03 655402 /lib64/libresolv-2.12.so
7f2a8d666000-7f2a8d667000 r--p 00016000 08:03 655402 /lib64/libresolv-2.12.so
7f2a8d667000-7f2a8d668000 rw-p 00017000 08:03 655402 /lib64/libresolv-2.12.so
7f2a8d668000-7f2a8d66a000 rw-p 00000000 00:00 0
7f2a8d66a000-7f2a8d678000 r-xp 00000000 08:03 655585 /lib64/liblber-2.4.so.2.10.3
7f2a8d678000-7f2a8d877000 ---p 0000e000 08:03 655585 /lib64/liblber-2.4.so.2.10.3
7f2a8d877000-7f2a8d878000 r--p 0000d000 08:03 655585 /lib64/liblber-2.4.so.2.10.3
7f2a8d878000-7f2a8d879000 rw-p 0000e000 08:03 655585 /lib64/liblber-2.4.so.2.10.3Aborted
thx
Ubuntu 12.04
there is any schedule to release for older version of ubuntu ???
Centos is safe even if sudo is vulnerable
I tried exploit on several different old Centos. Sudo is vulnerable. Exploit fails
CentOS release 6.10 Linux version 2.6.32-696
Sudo version 1.8.6p3
Sudoers policy plugin version 1.8.6p3
Sudoers file grammar version 42
Sudoers I/O plugin version 1.8.6p3
ldd (GNU libc) 2.12
sudoedit -s /
sudoedit: /: not a regular file
Variable question
Easier approach to exploit sudo 1.9.4 and later versions (ineffective NO_ROOT_MAILER bug)
A new approach was identified that should considerably simplify exploitation against sudo versions starting from 1.9.4:
https://seclists.org/oss-sec/2021/q1/88
It might be worth checking it out and implementing it in your exploit.
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.