Sudo vulnerability 20221/17/2024 Here we’re dereferencing the out of bounds pointer from and writing it to the buffer pointed to by the to pointer. ![]() The next memory error is a read overflow that occurred on line 974. Since the from pointer is already out of bounds, as we saw in the first memory error, any indexed access using from will be a bad index. The next memory error is a read from a bad address in sudoers.c on line 972. A stack trace shows us that this occurs in the set_cmnd() function. Note the memory block is two bytes because the first is the ‘\’ character and the second is the null terminator. Insra tells us that the from pointer read one byte outside of the two-byte memory block it was pointing to. We can see the first memory error is a read overflow that happens in sudoers.c at line 971. Let’s see what Insure++ found by examining results in the Insra window. We can tell from the malloc message that the proof of concept executed properly. Replace sudoedit with the path to the one you compiled and run the command. It is as follows: sudoedit -s '\' 'perl -e 'print "A" x 65536'' The Qualys article provided a simple proof of concept command that demonstrates the buffer overflow vulnerability. From here run make and make install as usual. You should consider setting a different prefix as well in order to not override the system sudo if applicable. ![]() After unpacking the source code, be sure Insure++ is on your PATH and set your CC to "insure gcc" before running configure. The source for sudo v1.9.5p1, the latest vulnerable version, is available here on the sudo website. To replicate the vulnerability in Insure++, we need to download a vulnerable version of sudo and compile it using Insure++. I’ll cover similar details when we analyze the results from Insure++. For a thorough breakdown of the vulnerability, check out the original Qualys blog. When un-escaping the last ‘\’ character, the function will overwrite the null terminator of the string resulting in a buffer overflow. When vulnerable versions of sudo (v1.8.2 – v1.9.5p1) are run with a command in shell mode and the command line argument ends in a single backslash, a buffer overflow of the user_args string occurs due to a flaw in the way un-escaping of command line arguments is performed. ![]() Baron Samedit (CVE-2021-3156) Vulnerability Overview Insure++ makes discovering, understanding, and remediating such bugs much easier than using traditional debugging tools and techniques. Insure++ is a memory debugging tool that uses patented instrumentation techniques to quickly identify leaks and other memory issues. I’m going to demonstrate Parasoft Insure++ memory over-read and overwrite detection using this vulnerability. Analyzing Baron Samedit (CVE-2021-3156) With Insure++ It’s a component that’s commonly included and installed with Linux, BSD, macOS, AIX, Solaris, and others. Sudo is a central tool in many different Linux/Unix distributions that allows users to run programs with elevated security privileges. On January 26, 2021, Qualys published a blog describing their findings on the heap overflow vulnerability in sudo, CVE-2021-3156, which they named “Baron Samedit”. Analyzing Baron Samedit (CVE-2021-3156) With Insure++.
0 Comments
Leave a Reply.AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |