Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2021-3156 PoC — Sudo 缓冲区错误漏洞

Source
https://github.com/Mhackiori/CVE-2021-3156
Associated Vulnerability
Title:Sudo 缓冲区错误漏洞 (CVE-2021-3156)
Description:Sudo before 1.9.5p2 contains an off-by-one error that can result in a heap-based buffer overflow, which allows privilege escalation to root via "sudoedit -s" and a command-line argument that ends with a single backslash character.
Description
Visualization, Fuzzing, Exploit and Patch of Baron Samedit Vulnerability
Readme
<div id="top"></div>
<!-- PROJECT LOGO -->
<br />
<div align="center">
  <a href="https://github.com/FrancescoMarchiori/CVE-2021-3156">
    <img src="https://i.postimg.cc/tRMqcJmw/sudo-logo.png" alt="Logo" width="150" height="150">
  </a>

  <h1 align="center">CVE-2021-3156</h1>

  <p align="center">
    Visualization, Fuzzing, Exploit and Patch of Baron Samedit Vulnerability
    <br />
    <a href="https://github.com/FrancescoMarchiori/CVE-2021-3156/blob/main/Report.pdf"><strong>See report »</strong></a>
    <br />
    <br />
    <a href="https://github.com/FrancescoMarchiori">Francesco Marchiori</a>
    ·
    <a>Alessandro Lotto</a>
  </p>
</div>

<!-- TABLE OF CONTENTS -->
<details>
  <summary>Table of Contents</summary>
  <ol>
    <li>
      <a href="#introduction">Abstract</a>
    </li>
    <li>
      <a href="#visualization">Visualization</a>
    </li>
    <li>
      <a href="#fuzzing">Fuzzing</a>
    </li>
    <li>
      <a href="#exploit">Exploit</a>
    </li>
    <li>
      <a href="#patch">Patch</a>
    </li>
  </ol>
</details>


<div id="introduction"></div>

## 🧩 Abstract

Any Unix-based Operating System is equipped with the sudo command that allows for a temporary root privileges escalation for those users that are expected to do so. Sudo offers then a critical functionality that if abused may lead to the compromise of the security and reliability of the system itself. Because of its importance within the Operating System, sudo’s source code is subject to frequent testing and code reviews. These have led to discover a heap-based overflow vulnerability, named as CVE-2021-3156, that surprisingly has been hidden for almost 10 years. Neither fuzzing techniques, one of the most used techniques for bug and vulnerability discovery, allowed to spot out it before. In this paper, we analyze in detail the CVE-2021-3156 sudo vulnerability, starting from the buffer overflow vulnerability up to how it can be exploited in order to gain a root shell even being a non-privileged user or not being allowed to use the sudo command.

<div id="visualization"></div>

## 🖼️ Visualization

In the [`Visualization`](https://github.com/FrancescoMarchiori/CVE-2021-3156/tree/main/Visualization) directory there are a couple of script that we used to visualize how arguments are parsed with or without backslash characters and to analyze how environment variables affect the heap layout, in order to further understand the structure of the proposed exploit.

<div id="fuzzing"></div>

## 🔍 Fuzzing

In the [`Fuzzing`](https://github.com/FrancescoMarchiori/CVE-2021-3156/tree/main/Fuzzing) directory there are the files needed to perform fuzzing on the vulnerable version of sudo. It's also reported how to be able to fuzz and how to solve the problems that prevent [AFL](https://github.com/google/AFL) to work out-of-the-box, thus explaining how the vulnerability has been hidden for almost 10 years.

<div id="exploit"></div>

## ⚔️ Exploit

In the [`Exploit`](https://github.com/FrancescoMarchiori/CVE-2021-3156/tree/main/Exploit) directory there are the filed needed to perform the attack on another vulnerable version of sudo. We exploit memory population through environment variables to perform heap feng shui and overwrite the name of the `service_user` object, in order to execute our own code instead of loading a library.

<div id="patch"></div>

## 🛡️ Patch

In the [`Patch`](https://github.com/FrancescoMarchiori/CVE-2021-3156/tree/main/Patch) directory there is an [`overflow_simulation_patch.c`](https://github.com/FrancescoMarchiori/CVE-2021-3156/blob/main/Patch/overflow_simulation_patch.c) script that simulates the behaviour of the overflow and patches it with additional code that we wrote. Since developers at the Sudo project decided to fix the vulnerability flow instead of the code itself, we show a different approach and how it can be fixed with just a few lines of code.

<p align="right"><a href="#top">(back to top)</a></p>
File Snapshot

 [4.0K]  /data/pocs/7232fd9bd836a0a81ae60dad2975d72e3dae1607
├── [4.0K]  Exploit
│   ├── [186K]  exec.gif
│   ├── [1.1K]  exploit.c
│   ├── [ 134]  exploit.sh
│   ├── [4.0K]  libnss_XXX
│   │   └── [ 464]  XXX.c
│   ├── [ 140]  Makefile
│   └── [1.1K]  README.md
├── [4.0K]  Fuzzing
│   ├── [2.2K]  argv-fuzz-inl.h
│   ├── [ 786]  Dockerfile
│   ├── [ 371]  Makefile
│   ├── [5.2K]  README.md
│   ├── [3.2M]  sudo-1.8.31p2.tar.gz
│   └── [ 42K]  sudo.c
├── [4.0K]  Patch
│   ├── [1.2K]  overflow_simulation_patch_2.c
│   ├── [1.3K]  overflow_simulation_patch.c
│   └── [1.8K]  README.md
├── [3.9K]  README.md
├── [4.8M]  Report.pdf
├── [ 64M]  Slides.pdf
└── [4.0K]  Visualization
    ├── [ 808]  envp_simulation.c
    ├── [1.1K]  overflow_simulation.c
    ├── [4.0K]  Pics
    │   ├── [ 82K]  envp_simulation.png
    │   └── [202K]  overflow_simulation.png
    └── [ 968]  README.md

6 directories, 23 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →