Exploit of SUDO vulnerability Heap-Based Overflow [CVE-2021-3156 ]

-



CVE-2021-3156 is a Heap-Based-Buffer overflow in sudo, in this blog I will share my walkthrough of this CVE and my final exploit for it, let's start with POC.

First, I used AddressSanitizer(ASan) which is used to detect memory access errors such as use-after-free and memory leaks this is a sample output of it, and we can see the file which cause the crash with the line number


and this is the command used to compile sudo with ASan


We can check the root cause of the crash in gdb by passing the payload and breakpoint on line number 868 in file sudoers.c

if we used the next instruction(ni) to follow the code and we can see when we reach the backslash(\) the code is passing the next value after it but our backslash is at the end of the string so what it will be passed? yes, it will be the Null Byte that is used to end the string, what do you think will happen if we do not have the end of our string? it will continue writing into the allocated memory and overflow it.

The vulnerable code with better view


to reach the above vulnerable code we have to pass some conditions, the following screenshot shows the first condition


this screenshot shows the second condition


to reach these two conditions we have to do 2 things first is to use argument (s) which will set MODE_SHELL which will pass the second condition


to reach the first condition we have to use (-edit) any word that should end with (edit) so we can use (sudoedit) which will set MODE_EDIT


so now we have to fuzz onto sudo the idea is simple we will generate random values with random size, and we will pass these values to ENV variables and sudo arguments and if we have a crash we will pass this crash to gdb and save the backtrace and the name of crashed function into the output file (doing it is not easy 😂) so the great playlist from LiveOverflow about the same CVE was useful 


this JSON file includes the arguments used to cause the crash


this file includes the backtrace of the crash


sample of the output file of a crash the JSON file has the used argument second file includes the backtrace of the crash



let's try arguments to cause the crash and see, the first file is a Python file which will pass the arguments to the next file which is (test.c) the following screenshot shows the file with arguments but there is a missing line which it will be 
args = ["./test"] + arg
os.execv("./test", args)


the (test.c) file is taking the arguments and pass it to the (sudoedit) binary but why we used this method? if we try to pass the backslashes as ENV variables it will be parsed as one ENV variable but if we used this method by passing the args to the test binary it will be parsed as the way we want (which is each backslash individual)


the following screenshot shows the output of passing arguments into GDB and the values saved into the ni struct, and we could control the values into this struct so its time to do some code review 


Code Time


I could know the glibc version by running (ldd --version) it is 2.31, I used bootlin elixir to check the code of this version of glibc


the crash happens into (tsearch) function which comes from nss_lookup_function when we search for it we will see that this function is called in nss_lookup it call (nss_lookup_function) 4 times


we have to know that this is the struct of our (ni) variable which we will modify

the (nss_lookup_function) have the (tsearch) in this function too we can find the (nss_load_library) function which take (ni) 

nss_load_library has some interesting thing which is this part use (dlopen) in line 359 which load an external library using the name and if check line 353 it creates a name of the shared library and passes it to (dlopen) to include it with this format (libnss_<name_from_ni>.so.<version> (i.e libnss_flex.so.2)) you can read the man page of dlopen
If filename contains a slash ("/"), then it is interpreted as a (relative or absolute) pathname


but how we can set (ni->library->lib_handle) to NULL we can not control it but we can NULL the (ni->library) itself but this will not pass the second condition it will jmp into the first one which will call the (nss_new_service) function and save its return into (ni->library) so we can check it


in nss_new_service we can see in line 812 the function set some arguments of struct (sevice_library) which have (lib_handle) and when the function return (currentp) and it is saved to (ni->library) now it have lib_handle with NULL value so we can reach second condition



Exploit Time


We modified the arguments a bit, and we added the name of the lib we want to include with "/" (note that) after adding the padding to reach the vulnerable code we used some backslashes which replace the NULL bytes (we can not use null bytes remember that) we set (ni->next) & (ni->library) to (0x00) this will reach the condition from (nss_load_libbrary) which will call (nss_new_service) to create & set (lib_handle) to NULL and using that we will reach the second condition will will load library with our controlled name


breakpoint into (nss_load_library) and use (ni) until reaching the (dlopen) call and when we see the arguments of the function we can see that we controlled the library name.


let's write the library and convert the Python code into C and write our shared library.

Coding

we have 4 files for our exploit
  • flex.c : shared library which we will load
  • exploit.c : include the arguments(payload) which will be passed to (root) file
  • root.c : will take the arguments(payload) from (exploit) file and pass it to (sudoedit)
  • run.sh : bash file to compile the C files and run the exploit
the following screenshots show the above files with their contents

Exploit 



That's it, Tschüss.




Comments

Post a Comment

Popular posts from this blog

[BlackHatMEA-CTF 2024] cockatoo PWN challenge

-
Image
 ( بِسْمِ اللَّـهِ الرَّحْمَـٰنِ الرَّحِيمِ ) (إن أحسنت فمن الله، وإن أسأت فمن نفسي والشيطان) Let's check the "cockatoo" pwn challenge from Blackhat MEA CTF 2024. Reverse the Binary we note that the binary takes the input byte by byte and there is a counter (i hate static analysts) Dynamic analysis  Let's jump to GDB and see what happened. I set a breakpoint on the road to get the stack address in which our input will be stored, and the following screenshots show our input increase and the counter before the RIP address. and the payload to overwrite the counter and control where the next write will be in the following screenshots  and we added to the counter (16) and could overwrite the RIP now we have to find our gadgets and do a simple execve, right?!!! NOOOOOO Exploit we don't have gadgets for "rdx, rdi, rsi" and we need to do "execve(rdi, rsi, rdx)", but we have "syscall" and "pop rax" so its time for our SROP attack. we...
Read more

[WEB] ASC Wargame CTF 2024 - Challenge Hot Proxy

-
Image
 ( بِسْمِ اللَّـهِ الرَّحْمَـٰنِ الرَّحِيمِ ) (إن أحسنت فمن الله، وإن أسأت فمن نفسي والشيطان) It was a nice CTF, I got 2nd place with my guys: Hissien Misbah ( Twitter ) Mohamed Bebo ( Linkedin ) Sameh ( Linkedin ) Osama Zidan ( Linkedin ) A picture during solving this challenge in the last 5m of the CTF (thinking that we got 1st place). Let's walk through the Web Challenge Hot Proxy, note that we did not solve it during the time of the CTF it was a minute way, let's start. Note: there is no source code in the challenge attachment, I requested it from the author ( @serWazito0 ) thanks to him, challenges files ( ASCWG_2024_CTF ). Note: the flag file in the server and called "flag_<RANDOM>.txt", so we have to get RCE. From the title I know that there is an "SSRF" vulnerability in this challenge and from the description, we know that there is an internal application called "app1" with a route called "/secret" so our target is to access...
Read more

Lets Analysis STM32F103 Chip Firmware from Attify

-
Image
( بِسْمِ اللَّـهِ الرَّحْمَـٰنِ الرَّحِيمِ ) Let's start our blog. As we know any IoT device should have a firmware to run it and there is a thought that it is secure by default because it is in a board, but we know that we can dump this firmware, our firmware know is already shared with us something like training to learn basics of reversing firmware. you can download the firmware from here . if we run the file command on the firmware we will find this "STM32F103C-firmware.bin: data" and if we try to get the architecture using binwalk it will return empty result "binwalk -A STM32F103C-firmware.bin" but we don't need this because it is a famous chip and we can know what we want from google. After searching for the chip name STM32F103C we will open its default page you will know that it run using "ARM Cortex M3" we will need that later, it is time to analysis using Ghidra. Analysis Dropping the firmware file to Ghidra but it will not detect anything...
Read more