2021 Sudo Vulnerability In Action, Baron Samedit, CVE-2021-3156

https://tryhackme.com/room/sudovulnssamedit

This is a huge SUDO vulnerability, as it affects sudo versions for the past ten years, from 1.8.2-1.8.31p2 and 1.9.0-1.9.5p1.  The last big sudo vulnerability was a stack-based buffer overflow, but Baron Samedit is a heap-based buffer overflow. 

Qualys published a blog post detailing the vulnerability and walks through the source code, explaining step-by-step here.

To check if your system is vulnerable, the following PoC was obtained from @lockedbytehere:

$ sudoedit -s '\' $(python3 -c 'print("A"*1000)')
malloc(): invalid size (unsorted)
Aborted

After an update and the sudo vulnerability patched, the same command now just displays usage instructions:

$ sudoedit -s '\' $(python3 -c 'print("A"*1000)')
usage: sudoedit [-AknS] [-r role] [-t type] [-C num] [-g group] [-h host] [-p prompt] [-T timeout] [-u user] file ...

According to THM, the first working version of this exploit was created by a researcher, @bl4sty, and the source is available on Github.  To compile the program, just use the make command.

This builds an executable named sudo-hax-me-a-sandwich

This binary works on a multitude of systems, displayed by running the program with no parameters:

The target for the current THM room is an Ubuntu 18.04.5 server, so target 0 is used. 

Just run the program, and spawn a shell in the context of root!  So simple and easy, it’s shockingly scary.

Remediation: Patches have been released that fix this issue, so please update your systems and use the PoC script in the Background Info section above to check if your system is currently vulnerable.  

Leave a Reply