CVE-2021-3156
CVE-2021-3156 copied to clipboard
worawit
Exploitation on Debian 9.5 stretch
Is exploitation possible on Debian GNU/Linux 9.5 (stretch)
Sudo version : 1.8.19p1
Kernel : Linux localhost 4.9.0-8-amd64 #1 SMP Debian 4.9.110-3+deb9u6 (2018-10-08) x86_64 GNU/Linux
I tried all the exploit none of them worked !
Any help would be appreciated!
It is possible to exploit this vuln on debian 9.
exploit_nss_d9.py is for debian 9 with default configuration. exploit_userspec.py is for many targets but need bruteforcing.
I have the following output when running (exploit_nss_d9.py) :
xhat@debian:~/Desktop$ python exploit_nss_d9.py usage: sudoedit [-AknS] [-r role] [-t type] [-C num] [-g group] [-h host] [-p prompt] [-u user] file ...
and when runing (exploit_userspec.py) :
xhat@debian:~/Desktop$ python exploit_userspec.py
curr size: 0x1600
exit code: 256 usage: sudoedit [-AknS] [-r role] [-t type] [-C num] [-g group] [-h host] [-p prompt] [-u user] file ...
curr size: 0x1b00
exit code: 256 usage: sudoedit [-AknS] [-r role] [-t type] [-C num] [-g group] [-h host] [-p prompt] [-u user] file ...
curr size: 0x1d80
exit code: 256 usage: sudoedit [-AknS] [-r role] [-t type] [-C num] [-g group] [-h host] [-p prompt] [-u user] file ...
curr size: 0x1ec0
exit code: 256 usage: sudoedit [-AknS] [-r role] [-t type] [-C num] [-g group] [-h host] [-p prompt] [-u user] file ...
curr size: 0x1f60
exit code: 256 usage: sudoedit [-AknS] [-r role] [-t type] [-C num] [-g group] [-h host] [-p prompt] [-u user] file ...
curr size: 0x1fb0
exit code: 256 usage: sudoedit [-AknS] [-r role] [-t type] [-C num] [-g group] [-h host] [-p prompt] [-u user] file ...
curr size: 0x1fd0
exit code: 256 usage: sudoedit [-AknS] [-r role] [-t type] [-C num] [-g group] [-h host] [-p prompt] [-u user] file ...
curr size: 0x1fe0
exit code: 256 usage: sudoedit [-AknS] [-r role] [-t type] [-C num] [-g group] [-h host] [-p prompt] [-u user] file ...
curr size: 0x1ff0
exit code: 256 usage: sudoedit [-AknS] [-r role] [-t type] [-C num] [-g group] [-h host] [-p prompt] [-u user] file ...
has 2 holes. very big one is bad
curr size: 0xc00
exit code: 256 usage: sudoedit [-AknS] [-r role] [-t type] [-C num] [-g group] [-h host] [-p prompt] [-u user] file ...
curr size: 0x1000
exit code: 256 usage: sudoedit [-AknS] [-r role] [-t type] [-C num] [-g group] [-h host] [-p prompt] [-u user] file ...
curr size: 0x1400
exit code: 256 usage: sudoedit [-AknS] [-r role] [-t type] [-C num] [-g group] [-h host] [-p prompt] [-u user] file ...
curr size: 0x1800
exit code: 256 usage: sudoedit [-AknS] [-r role] [-t type] [-C num] [-g group] [-h host] [-p prompt] [-u user] file ...
curr size: 0x1c00
exit code: 256 usage: sudoedit [-AknS] [-r role] [-t type] [-C num] [-g group] [-h host] [-p prompt] [-u user] file ...
Traceback (most recent call last):
File "exploit_userspec.py", line 736, in
Thanks.
exploit_nss_d9.py is likely to fail if any related configuration is not same as mine. When the exploit fail, "segmentation fault" is very likely. But your has no error.
exploit_userspec.py might fail but normally not this step.
So I suspect the sudo is patched. Do you check if sudo is vulnerable before running exploit?
Hi, @worawit
You are right the sudo version package comes patched on this linux DISTR. sorry my bad i didn't check before runing the exploit.
$ uname -a Linux localhost 4.9.0-8-amd64 #1 SMP Debian 4.9.110-3+deb9u6 (2018-10-08) x86_64 GNU/Linux
$ cat /etc/*-release PRETTY_NAME="Debian GNU/Linux 9 (stretch)" NAME="Debian GNU/Linux" VERSION_ID="9" VERSION="9 (stretch)" ID=debian HOME_URL="https://www.debian.org/" SUPPORT_URL="https://www.debian.org/support" BUG_REPORT_URL="https://bugs.debian.org/"
$ sudo --version Sudo version 1.8.19p1 Sudoers policy plugin version 1.8.19p1 Sudoers file grammar version 45 Sudoers I/O plugin version 1.8.19p1
$ sudoedit -s '12345678901234567890' usage: sudoedit [-AknS] [-r role] [-t type] [-C num] [-g group] [-h host] [-p prompt] [-u user] file ...
./thanks