Centos is safe even if sudo is vulnerable

[snwoeinogge]

I tried exploit on several different old Centos. Sudo is vulnerable. Exploit fails

CentOS release 6.10 Linux version 2.6.32-696 Sudo version 1.8.6p3 Sudoers policy plugin version 1.8.6p3 Sudoers file grammar version 42 Sudoers I/O plugin version 1.8.6p3 ldd (GNU libc) 2.12

sudoedit -s / sudoedit: /: not a regular file

[faik-sevim]

same issue in centos 7 exploit fails

[Shaun29]

cat /etc/redhat-release CentOS Linux release 7.9.2009 (Core)

sudo -V Sudo version 1.8.23 Sudoers policy plugin version 1.8.23 Sudoers file grammar version 46 Sudoers I/O plugin version 1.8.23

sudoedit -s '123456567\' Will produce the malloc corruption.

*** Error in `sudoedit': malloc(): memory corruption: 0x00005577c2c81e80 *** ======= Backtrace: ========= /lib64/libc.so.6(+0x82aa6)[0x7fccac70caa6] /lib64/libc.so.6(__libc_malloc+0x4c)[0x7fccac70f6fc] /usr/libexec/sudo/sudoers.so(+0x425a9)[0x7fcca568c5a9] /usr/libexec/sudo/sudoers.so(+0x4141d)[0x7fcca568b41d] /usr/libexec/sudo/sudoers.so(+0x1d161)[0x7fcca5667161] /usr/libexec/sudo/sudoers.so(+0x17bb8)[0x7fcca5661bb8] /usr/libexec/sudo/sudoers.so(+0x20af4)[0x7fcca566aaf4] /usr/libexec/sudo/sudoers.so(+0x19634)[0x7fcca5663634] sudoedit(+0x5341)[0x5577c2932341] /lib64/libc.so.6(__libc_start_main+0xf5)[0x7fccac6ac555] sudoedit(+0x6cd1)[0x5577c2933cd1] ======= Memory map: ======== 5577c292d000-5577c294f000 r-xp 00000000 fd:00 50730901 /usr/bin/sudo 5577c2b4e000-5577c2b4f000 r--p 00021000 fd:00 50730901 /usr/bin/sudo 5577c2b4f000-5577c2b50000 rw-p 00022000 fd:00 50730901 /usr/bin/sudo 5577c2b50000-5577c2b52000 rw-p 00000000 00:00 0 5577c2c6f000-5577c2ca9000 rw-p 00000000 00:00 0 [heap]

Unfortunately, I am still unable to find values that work.

[bl4ckh0l3z]

It's not safe; this amazing exploit is tcache based, and tcache have been introduced in glibc 2.26 so you won't able to leverage this exploit in your CentOS version that is equipped with glibc 2.12. Migrate the exploitation to fastbins abuse will work...