<Introduction>
In this TryHackMe room walkthrough post, I am going to be reviewing the "Baron Samedit (CVE-2021-3156)" room. I will provide a general overview of baron samedit. I will discuss what sudo is and what its used for. I’ll also cover briefly baron samedit’s discovery. Additionally, I will review the vulnerability associated with CVE-2021-3156, a heap buffer overflow vulnerability found in the sudo program. Finally, in this blog post, I'll go over how an attacker can exploit sudo to escalate privileges.
If you find this content informative and you are interested in cybersecurity, please like and subscribe to the Cyb3r-0verwatch channel. Also for more free content please regularly check back on www.Cyb3r-S3c.com.
You can also watch the video on my YouTube Channel Cyb3r_0verwatch.
<Overview>
CVE-2021-3156 named baron samedit was originally discovered by the Qualys Research team. The discovery was significant due to the criticality of the heap overflow vulnerability in sudo. The sudo program is extensively used and is present in major Unix-based operating systems. This vulnerability if not patched poses a serious security threat as it allows any unprivileged local user to exploit the default sudo configuration and gain full root privileges on a vulnerable host.
<What is Sudo?>
Sudo, a powerful utility integrated into most Unix-based OS's. Sudo grants users the ability to execute programs with the security privileges of another user. Typically, users initiate a sudo command by entering "sudo" followed by the desired command in the CLI, for instance, "sudo /bin/bash". When a user possesses the necessary permissions to use sudo, their information is usually listed in the sudoers file located at /etc/sudoers. This file serves as a means for administrators to assign system privileges to specific users, thereby allowing administrators to exercise control over user actions.
<Baron Samedit's Discovery>
The Qualys Research team originally discovered the vulnerability on January 13 2021. Similar to previous unix-based vulnerabilities this vulnerability had evaded detection for nearly a decade. During the Qualys Research teams investigation, it was discovered that on July 2011 the vulnerability was originally introduced in commit 8255ed69. This vulnerability affects all legacy Sudo versions from 1.8.2 to 1.8.31p2 and all stable versions from 1.9.0 to 1.9.5p1 when default configurations are used.
<Baron Samedit: A Closer Look>
The Qualys Research team meticulously verified the vulnerability and even developed multiple exploit variants, successfully obtaining full root privileges on widely used systems such as Ubuntu 20.04 (Sudo 1.8.31), Debian 10 (Sudo 1.8.27), and Fedora 33 (Sudo 1.9.2). Considering the ubiquity of sudo, it is highly probable that other operating systems and distributions are also susceptible to exploitation.
CVE-2021-3156 is a critical heap-overflow vulnerability found in the sudo binary during the parsing of command line arguments. This particular vulnerability enables an attacker to escalate their privileges to root if successfully exploited. The significance of this vulnerability lies in the fact that it occurs in userland, which means there is no risk of crashing the system during the exploitation process.
When properly exploited, CVE-2021-3156 allows an attacker to bypass the intended restrictions and gain unauthorized access with elevated privileges. By carefully crafting specific command line arguments, an attacker can trigger the heap-based buffer overflow, which can lead to the execution of arbitrary code with root privileges. This essentially grants the attacker complete control over the affected system.
<Into the Weeds>
A generalized explanation of the vulnerability is that when executing a command in Sudo using the 'shell' mode (shell -c command), either through the -s option or the -i option, certain parts of the code are vulnerable to a heap-based buffer overflow. In the Sudo code snippet shown in this video, the parse_args() function in Sudo's main() function is responsible for rewriting argv line 609 to 617 by concatenating all command-line arguments and escaping meta-characters with backslashes. However, there is a slight discrepancy in conditions between the code that escapes meta-characters and the code that later unescapes them This vulnerability arises when a command-line argument ends with a single backslash character as shown in line 590 to 591.
In the set_cmnd() function within sudoers_policy_main(), the command-line arguments are concatenated into the "user_args" buffer line 864 to 871 shown in this video, and the meta-characters are unescaped for sudoers matching and logging purposes. The issue arises when a command-line argument ends with a single backslash character. The unescaping process causes out-of-bounds characters to be copied to the "user_args" buffer, leading to a heap-based buffer overflow. This overflow occurs because the out-of-bounds characters were not included in the size calculation of the "user_args" buffer.
In theory, this vulnerability should not occur because parse_args() function already escapes all meta-characters, including backslashes, when MODE_SHELL or MODE_LOGIN_SHELL is set. However, the conditions surrounding the vulnerable code in set_cmnd() and the escape code in parse_args() differ slightly, allowing this vulnerability to be exploited.
Through their research the Qualys Research team was able to determine that it is not possible to set MODE_SHELL along with either MODE_EDIT or MODE_CHECK to trigger the vulnerable code without triggering the escape code. If MODE_EDIT (-e option) or MODE_CHECK (-l option) are set then parse_args() removes MODE_SHELL from the "valid_flags" and exits with an error if an invalid flag like MODE_SHELL is specified.
The workaround is by executing Sudo as 'sudoedit' instead of 'sudo', parse_args() automatically sets MODE_EDIT without resetting the "valid_flags." By default, the "valid_flags" include MODE_SHELL, allowing the attacker to set both MODE_EDIT and MODE_SHELL (without MODE_RUN), thereby bypassing the escape code, reaching the vulnerable code, and causing a heap-based buffer overflow by providing a command-line argument that ends with a single backslash character.
<Advantages to Exploitation>
Exploiting this buffer overflow is highly advantageous for an attacker due to the following reasons:
1) The attacker controls the size of the "user_args" buffer, which determines the extent of the overflow.
2) The attacker independently controls the size and contents of the overflow itself, taking advantage of the fact that environment variables following the command-line arguments are not included in the size calculation.
3) The attacker can even write null bytes to the overflowed buffer, as any command-line argument or environment variable ending with a single backslash writing a null byte to "user_args".
<Walkthrough>
Lets start the walkthrough…
1. In Task 1 TryHackMe provides instructions on deploying the vulnerable machine.
2. Task 2 provides an overview of the baron samedit vulnerability. From this task THM also provides the steps to exploit this vulnerability.
3. Now that the vulnerable host is up we can begin testing.
I logged into the target host via ssh using the credentials provided by THM.
4. To view the version of the vulnerable hosts OS you can run lsb_release -a as shown in the CLI. It shows that the vulnerable host is ubuntu 18.04 LTS Bionic
5. To verify whether the target host is vulnerable you can run the following proof of concept created by Lockedbyte by entering the following command shown in the CLI “sudoedit -s '\' $(python3 -c 'print("A"*1000)')”. The command attempts to execute the sudoedit command in "script" mode, where the content of the script is set to a string consisting of 1,000 capital "A's". Since the backslash character is not properly escaped it should result in a syntax error.
As you can see the result was an error showing that this host is vulnerable.
If the host is vulnerable you should see the following output:
If the target host is not vulnerable you will see the following output:
6. In order to exploit this vulnerability I will need to download a working exploit. One can be downloaded from the blasty/CVE-2021-3156 github repository.
Once on the github page just click the “copy” icon after clicking the “code” dropdown to copy the git address.
In order to download the exploit I ran the git clone command on kali as shown in the CLI.
7. I navigated to the exploit folder. In order to use the exploit I will need to compile the code. I will run the “make” command from the exploit folder to create the exploit.
8. Now that the exploit is created Ill start my http.server from the exploit folder.
9. With my http server running, from the vulnerable host Ill run wget to download the exploit to the /tmp folder.
10. Now that the exploit is uploaded, I verified using ls -la that the file cant be executed.
11. Since the exploit does not have the execute permissions set I set the exploit to execute using the chmod command as shown in the CLI.
12. I changed the permissions and now I can run the exploit using the following command: “./sudo-hax-me-a-sandwich 0”.
Since earlier I had checked the version of this particular vulnerable host, I selected 0 for Ubuntu 18.04.
13. After running the exploit I was able to get a root shell.
14. Now that I have root shell lets get the root flag.
15. Looking at Task 2 questions the first question asks what executable is created when the exploit is compiled. When running make it created the executable sudo-hax-me-a-sandwich.
16. The second question is what is the flag in flag.txt. Both answers have been entered .
17. The room has been completed.
<CONCLUSION>
In the end I was able to exploit a vulnerability that gave me root privileges.
To mitigate the risk posed by CVE-2021-3156, it is crucial to apply the necessary security patches promptly.
This is an old vulnerability that has a patch addressing this issue, which should be applied as soon as possible to protect systems from potential attacks.
Organizations should also consider implementing strong security practices, such as least privilege and regular monitoring, to enhance their overall defense against similar vulnerabilities in the future.
For developers it's crucial to address this vulnerability by implementing appropriate bounds checking and ensuring consistent conditions for escaping and unescaping meta-characters in the Sudo codebase.
Thank you for reading this walkthrough of the Baron Samedit TryHackMe room. If you find this content informative and you are interested in cybersecurity, please regularly check back on the Cyb3r-S3c website. For more free content, please like and subscribe to the Cyb3r-0verwatch channel. Until next time keep learning, the only way to improve is to keep learning.
/Signing Off
Pragmat1c_0n3
Comments