https://github.com/mbcrump/CVE-2021-3156/blob/main/README.md

Skip to content
 
Sign up

  * Why GitHub?
    Features -
      + Mobile -
      + Actions -
      + Codespaces -
      + Packages -
      + Security -
      + Code review -
      + Project management -
      + Integrations -
      + GitHub Sponsors -
      + Customer stories -
      + Security -
  * Team
  * Enterprise
  * Explore
      + Explore GitHub -

    Learn & contribute

      + Topics -
      + Collections -
      + Trending -
      + Learning Lab -
      + Open source guides -

    Connect with others

      + The ReadME Project -
      + Events -
      + Community forum -
      + GitHub Education -
      + GitHub Stars program -
  * Marketplace
  * Pricing
    Plans -
      + Compare plans -
      + Contact Sales -
      + Nonprofit -
      + Education -

[                    ] [search-key]

  *  
    #
    In this repository All GitHub |
    Jump to |

  * No suggested jump to results

  *  
    #
    In this repository All GitHub |
    Jump to |
  *  
    #
    In this user All GitHub |
    Jump to |
  *  
    #
    In this repository All GitHub |
    Jump to |

Sign in Sign up
{{ message }}

mbcrump / CVE-2021-3156

  * Watch 1
  * Star 15
  * Fork 3

  * Code
  * Issues 0
  * Pull requests 0
  * Actions
  * Security
  * Insights

More

  * Code
  * Issues
  * Pull requests
  * Actions
  * Security
  * Insights

Permalink
main

CVE-2021-3156/README.md

Go to file

  * Go to file T
  * Go to line L
  * 
  * Copy path

@mbcrump
mbcrump Update README.md
Latest commit 07e785e Jan 29, 2021 History
1 contributor

Users who have contributed to this file

117 lines (64 sloc) 4.01 KB
Raw Blame
   

 CVE-2021-3156

 Note: These instructions are my own and notes from a stream that I
did. If anything is wrong, then let me know. Trust official sources
first!

Hello everyone,

A couple of days back, a serious heap-based buffer overflow has been
discovered in sudo that is exploitable by any local user. It has been
given the name Baron Samedit by its discoverer. The bug can be
leveraged to elevate privileges to root, even if the user is not
listed in the sudoers file. User authentication is not required to
exploit the bug. It is commonly referred as CVE-2021-3156.

 See it in action

You can see it in action here that several security researchers have
recorded.

 Sudo versions affected:

Sudo versions 1.8.2 through 1.8.31p2 and 1.9.0 through 1.9.5p1 are
affected.

Keep in mind: Unless the patches have been backported, as is the case
for Ubuntu 18.04, in which case it may not need to be 1.9.5p2

 Are you vulnerable?

USE WITH CAUTION : Open your terminal and use sudo sudo -V to check
your version number. See notes above for what versions are affected
and read the note.

 A More reliable way to check

Run sudoedit -s / to detect if you are vulnerable.

You can also try:

sudoedit -s '\' `perl -e 'print "A" x 65536'`

bonyt from hackernews pointed out that macOS doesn't have sudoedit,
but you can make a symlink to it, as sudo is effectively a multi-call
binary:

ln -s `which sudo` sudoedit

and then call it:

./sudoedit

Based on the response, It's possible to understand if the host is
vulnerable or not:

Vulnerable if responds an error starting with sudoedit: sudoedit: /:
not a regular file or segfault Not Vulnerable or patched if responds
an error starting with usage:

 Got containers or K8s?

Falco is the CNCF open-source project for runtime threat detection
for containers and Kubernetes.

You can use a rule to detect and prevent if a user attempts it.

pawan328 from hackernews pointed out that you can view this blog post
for additional details.

 Fix it - the bug has been fixed in sudo 1.9.5p2

 For Linux distros (that might be running on a Pi or a another
computer) including WSL

sudo apt-get update
sudo apt-get --only-upgrade install sudo

 Watch the Video

I have a video discussing this and showing all the methods shown
above.

[687474703a]

Which covers:

00:00  - Introduction

01:29  - What's a CVE?

02:22  - What's the bug?

05:30  - Exploit shown in action

13:07  - Sudo versions affected

13:48  - WSL Windows Subsystem for Linux

15:11  - Detecting if you are vulnerable through sudo (WSL)

19:21  - Detecting if you are vulnerable through sudo (Ubuntu)

20:53  - Detecting if you are vulnerable through commands

24:58  - What to do if you are running K8s or containers

27:54  - Examine Sudo versions

28:30  - Patching WSL 

30:17  - Patching Ubuntu 

32:09  - Where can I get exploit.c? 

33:59  - Patching Ubuntu (part 2)

38:10  - Patching WSL (part 2)

46:35  - GitHub search results

47:28  - Patching WSL (part 3)

 Conclusion

I stream on Twitch on Wednesday's at Noon PST and on Sat/Sun at 10 AM
PST or you can watch the condensed version by subscribing to my
YouTube.

Stay connected with me on social platforms for security and software
development news.

-Twitter | Twitch | Instagram | YouTube | GitHub | Website

[                    ] Go
  * (c) 2021 GitHub, Inc.
  * Terms
  * Privacy
  * Security
  * Status
  * Docs

 

  * Contact GitHub
  * Pricing
  * API
  * Training
  * Blog
  * About

You can't perform that action at this time.
You signed in with another tab or window. Reload to refresh your
session. You signed out in another tab or window. Reload to refresh
your session.