Privilege Escalation (CVE-2021–3156) New sudo vulnerability
Definition
Privilege escalation is the act of exploiting a bug, design flaw or configuration oversight in an operating system or software application to gain elevated access to resources that are normally protected from an application or user.
Access control or authorization is a method or technique whereby an application differentiates and classifies who can do what or access a particular resources. In its application, broken access control often occurs which is also a critical security vulnerability. This vulnerability can cause attacker to perform privilege escalation. Privilege escalation itself is a technique to get privileges from other users or other roles. So the privilege escalation is divided into vertical and horizontal.
To do privilege escalation, there are several things that must be considered. Among others are Public bugs, Security Misconfiguration, Default Settings / Credentials, Buffer Overflows, Software Vulnerabilities.
Example
The following is a simulation that can occur when an application has broken authentication. Especially the privilege escalation that occurs from the heap overflow (CVE-2021–3156). This vulnerability allows non-privileged users to gain root privileges without any authentication by using this vulnerability.
Qualys research team reported that they have succeeded in obtaining complete root privileges by exploiting the vulnerability on Ubuntu 20.04 (Sudo 1.8.31), Debian 10 (Sudo 1.8.27), and Fedora 33 (Sudo 1.9.2). This vulnerability exists since July 2011 (all legacy versions from 1.8.2 to 1.8.31p2 and all stable versions from 1.9.0 to 1.9.5p1)
This vulnerability is achieved because sudo doesn’t process escaped characters correctly, causing a malloc error and a program kill. Sudo takes arguments and saves them into an array. When we input “space” we use “\”. However, if after “\” is not followed by another character, sudo will missinterpret and assume it is an escape character and continue processing until it becomes an overflow. This condition can also be said to be the Null Terminator.
In this simulation, I am using Ubuntu 18.04.4. To prove whether the machine has this vulnerability, you can execute the command in the terminal as follows.
sudoedit –s ‘123123123123\’
or
sudoedit -s /
We can know the machine vulnerable if responds an error starting with sudoedit: sudoedit: /: not a regular file or segfault Not Vulnerable or patched if responds an error starting with usage:
Here I use the privilege escalation script provided by blasty (https://github.com/blasty/CVE-2021-3156). The following is the use of the script to perform privilege escalation.
