2021 Sudo Vulnerability In Action, Baron Samedit, CVE-2021-3156
This is a huge SUDO vulnerability, as it affects sudo versions for the past ten years, from 1.8.2-1.8.31p2 and 1.9.0-1.9.5p1. The last big sudo vulnerability was a stack-based buffer overflow, but Baron Samedit is a heap-based buffer overflow.
Qualys published a blog post detailing the vulnerability and walks through the source code, explaining step-by-step here.
$ sudoedit -s '\' $(python3 -c 'print("A"*1000)') malloc(): invalid size (unsorted) Aborted
After an update and the sudo vulnerability patched, the same command now just displays usage instructions:
$ sudoedit -s '\' $(python3 -c 'print("A"*1000)') usage: sudoedit [-AknS] [-r role] [-t type] [-C num] [-g group] [-h host] [-p prompt] [-T timeout] [-u user] file ...
This builds an executable named
This binary works on a multitude of systems, displayed by running the program with no parameters:
The target for the current THM room is an Ubuntu 18.04.5 server, so target 0 is used.
Just run the program, and spawn a shell in the context of
root! So simple and easy, it’s shockingly scary.
Remediation: Patches have been released that fix this issue, so please update your systems and use the PoC script in the
Background Info section above to check if your system is currently vulnerable.