search

The-Z-Labs / linux-exploit-suggester

Linux privilege escalation auditing tool
GNU General Public License v3.0
5.54k stars 1.09k forks source link

Baron Samedit is displayed for invalid GLIBC versions #87

Closed Reelix closed 3 years ago

Reelix commented 3 years ago

On running in a certain case, CVE-2021-3156 is recommended.

   [+] [CVE-2021-3156] sudo Baron Samedit

   Details: https://www.qualys.com/2021/01/26/cve-2021-3156/baron-samedit-heap-based-overflow-sudo.txt
   Exposure: less probable
   Tags: mint=19,ubuntu=18|20, debian=10
   Download URL: https://codeload.github.com/blasty/CVE-2021-3156/zip/main```

GLIBC version

ldd --version | grep GLIBC
ldd (Ubuntu GLIBC 2.23-0ubuntu3) 2.23

CVE-2021-3156 requires libc 2.26+ as shown over at https://github.com/worawit/CVE-2021-3156/blob/main/exploit_nss.py#L112

As such, this should never have been recommended.

bcoles commented 3 years ago

CVE-2021-3156 requires libc 2.26+ as shown over at https://github.com/worawit/CVE-2021-3156/blob/main/exploit_nss.py#L112

glibc 2.26+ is required only for the tcache technique.

While blasty's exploit probably won't work with Ubuntu's glibc 2.23-0ubuntu3 this is due to lacking offsets rather than due to the version of glibc.

The situation is a little more complex than simply checking for glibc 2.26+. There are several different exploitation techniques for this vulnerability and many exploits.

worowit's exploit you've linked to uses the tcache technique which requires glibc 2.26+. That is a different exploit to the recommended exploit (by blasty) which uses the userspec overwrite technique and does not require a version of glibc with support for tcache.

worowit also has a userspec variant which does not require tcache:

Similarly, the sudo_baron_samedit Metasploit module for Baron Samedit has been tested and is known to work with various versions of glibc before 2.26 (it wraps worawit's exploits):

It makes sense to have matches for both exploits. linux-exploit-suggester will recommended both blasty's and worawit's exploits:

As such, this should never have been recommended.

It is significantly easier to check only the version of sudo, as version matching is somewhat complicated by distros using their own versioning scheme and back porting. The vulnerability exists within sudo and there is some leeway in the glibc version. Sometimes the offsets remain the same between versions or require only minimal adjustment to get working. For example, the offsets for Ubuntu 18.04.5 (Bionic Beaver) - sudo 1.8.21, libc-2.27 and Ubuntu 20.04.1 (Focal Fossa) - sudo 1.8.31, libc-2.31 are identical, despite the minor version of sudo having incremented by 10 revisions and the minor version of libc having incremented by 4 revisions). It is significantly more useful to have these exploits recommended than not recommended at all, even with the risk of false positives.

Also, the exploit repositories contain brute-force scripts which can be used to exploit systems for which the version of glibc has not been previously tested/confirmed as usable.

Reelix commented 3 years ago

While blasty's exploit probably won't work with Ubuntu's glibc 2.23-0ubuntu3 this is due to lacking offsets rather than due to the version of glibc.

It is significantly easier to check only the version of sudo, as version matching is somewhat complicated by distros using their own versioning scheme and back porting.

Both are extremely valid points, and that was a very well-written response overall!

As such, this seems to be user error far more than script error, and I shall be marking this as closed!