Centos is safe even if sudo is vulnerable

[snwoeinogge]

I tried exploit on several different old Centos. Sudo is vulnerable. Exploit fails

CentOS release 6.10 Linux version 2.6.32-696
Sudo version 1.8.6p3
Sudoers policy plugin version 1.8.6p3
Sudoers file grammar version 42
Sudoers I/O plugin version 1.8.6p3
ldd (GNU libc) 2.12

sudoedit -s /
sudoedit: /: not a regular file

[faik-sevim]

same issue in centos 7 exploit fails

[Shaun29]

cat /etc/redhat-release
CentOS Linux release 7.9.2009 (Core)

sudo -V
Sudo version 1.8.23
Sudoers policy plugin version 1.8.23
Sudoers file grammar version 46
Sudoers I/O plugin version 1.8.23

sudoedit -s '123456567\'
Will produce the malloc corruption.

*** Error in `sudoedit': malloc(): memory corruption: 0x00005577c2c81e80 ***
======= Backtrace: =========
/lib64/libc.so.6(+0x82aa6)[0x7fccac70caa6]
/lib64/libc.so.6(__libc_malloc+0x4c)[0x7fccac70f6fc]
/usr/libexec/sudo/sudoers.so(+0x425a9)[0x7fcca568c5a9]
/usr/libexec/sudo/sudoers.so(+0x4141d)[0x7fcca568b41d]
/usr/libexec/sudo/sudoers.so(+0x1d161)[0x7fcca5667161]
/usr/libexec/sudo/sudoers.so(+0x17bb8)[0x7fcca5661bb8]
/usr/libexec/sudo/sudoers.so(+0x20af4)[0x7fcca566aaf4]
/usr/libexec/sudo/sudoers.so(+0x19634)[0x7fcca5663634]
sudoedit(+0x5341)[0x5577c2932341]
/lib64/libc.so.6(__libc_start_main+0xf5)[0x7fccac6ac555]
sudoedit(+0x6cd1)[0x5577c2933cd1]
======= Memory map: ========
5577c292d000-5577c294f000 r-xp 00000000 fd:00 50730901 /usr/bin/sudo
5577c2b4e000-5577c2b4f000 r--p 00021000 fd:00 50730901 /usr/bin/sudo
5577c2b4f000-5577c2b50000 rw-p 00022000 fd:00 50730901 /usr/bin/sudo
5577c2b50000-5577c2b52000 rw-p 00000000 00:00 0
5577c2c6f000-5577c2ca9000 rw-p 00000000 00:00 0 [heap]

Unfortunately, I am still unable to find values that work.

[bl4ckh0l3z]

It's not safe; this amazing exploit is tcache based, and tcache have been introduced in glibc 2.26 so you won't able to leverage this exploit in your CentOS version that is equipped with glibc 2.12. Migrate the exploitation to fastbins abuse will work...