Cve 2021 3156 (sudo privilege escalation)
CVE-2021-3156, also known as Baron Samedit, is a critical vulnerability in the Sudo utility on Unix-based systems. This flaw allows local users to escalate their privileges to root, even if they do not have the required permissions.
Scoring of the vulnerability:
| CVSS | Description |
|---|---|
| Publish date | January 26th, 2021 |
| NVD article | https://nvd.nist.gov/vuln/detail/CVE-2021-3156 |
| Impact | Local Privilege escalation |
| Severity | Critical |
| Attack Complexity | Low |
| Scoring | 7.8 |
| Other articles | Quals, Worawit |
Explanation:
This heap-based buffer overflow vulnerability allows local users to gain root privileges on Unix-like operating systems, presenting a significant security risk for systems running vulnerable versions of sudo.
what is sudo?
Sudo (Superuser Do) is one of the most critical and commonly used utilities in Unix/Linux systems. It allows users to run programs with the security privileges of another user, typically the superuser (root).
Vulnerability Explaination:
The Baron Samedit vulnerability stems from a heap-based buffer overflow in sudo’s command-line parsing functionality. The buffer overflow occurs due to improper handling of backslashes when processing command arguments, leading to a heap-based buffer overflow that can be exploited to gain root privileges.
Here’s the breakdown in simple terms.
- Vulnerability basics:
- The bug exists in how sudo handles command arguments that end with a backslash.
- It’s specifically triggered when using sudoedit. sudoedit is a command that allows users to edit files with root privileges while maintaining the integrity of the original file
- Why it happened:
- Normally, sudo has safety checks that prevent dangerous characters (Like backslashes) by escaping them.
- But there was a loophole: when using
sudoedit -s, these safety checks are bypassed. - This creates a situation where memory can be overwritten in way it shouldn’t be.
- Wy it’s Dangerous:
- When processing commands, sudo stores arguments in a memory buffer called
user_args - If an argument ends with a backslash, sudo can accidentally:
- Read past where it should stop
- Write data beyond the allocated memory space
- Overwrite important system memory
- When processing commands, sudo stores arguments in a memory buffer called
- Vulnerable Code:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
if (sudo_mode & (MODE_RUN | MODE_EDIT | MODE_CHECK)) { for (size = 0, av = NewArgv + 1; *av; av++) size += strlen(*av) + 1; if (size == 0 || (user_args = malloc(size)) == NULL) { } if (ISSET(sudo_mode, MODE_SHELL|MODE_LOGIN_SHELL)) { for (to = user_args, av = NewArgv + 1; (from = *av); av++) { while (*from) { if (from[0] == '\\' && !isspace((unsigned char)from[1])) from++; *to++ = *from++; } *to++ = ' '; } } }
- The Problem:
- The code calculates buffer size based on argument lengths.
- But when processing backslashes, it can read beyond the argument’s end.
- This happens when an argument ends with a single backslash.
Key Vulnerability line:
1
if (from[0] == '\\' && !isspace((unsigned char)from[1]))
Example:
With argument ending in backslash: “test"
a. Initial state:
from points to: “test" to points to: start of user_args buffer
b. Processing:
- Copies “test”
- Reaches the backslash
- Checks if next character is space (it’s actually null terminator)
- Advances past backslash
- Tries to read past null terminator (BUFFER OVERFLOW)
Exploitation:
working on it