Visualization, Fuzzing, Exploit and Patch of Baron Samedit Vulnerability
See report »
Francesco Marchiori
·
Alessandro Lotto
Table of Contents
Any Unix-based Operating System is equipped with the sudo command that allows for a temporary root privileges escalation for those users that are expected to do so. Sudo offers then a critical functionality that if abused may lead to the compromise of the security and reliability of the system itself. Because of its importance within the Operating System, sudo’s source code is subject to frequent testing and code reviews. These have led to discover a heap-based overflow vulnerability, named as CVE-2021-3156, that surprisingly has been hidden for almost 10 years. Neither fuzzing techniques, one of the most used techniques for bug and vulnerability discovery, allowed to spot out it before. In this paper, we analyze in detail the CVE-2021-3156 sudo vulnerability, starting from the buffer overflow vulnerability up to how it can be exploited in order to gain a root shell even being a non-privileged user or not being allowed to use the sudo command.
In the Visualization directory there are a couple of script that we used to visualize how arguments are parsed with or without backslash characters and to analyze how environment variables affect the heap layout, in order to further understand the structure of the proposed exploit.
In the Fuzzing directory there are the files needed to perform fuzzing on the vulnerable version of sudo. It's also reported how to be able to fuzz and how to solve the problems that prevent AFL to work out-of-the-box, thus explaining how the vulnerability has been hidden for almost 10 years.
In the Exploit directory there are the filed needed to perform the attack on another vulnerable version of sudo. We exploit memory population through environment variables to perform heap feng shui and overwrite the name of the service_user object, in order to execute our own code instead of loading a library.
In the Patch directory there is an overflow_simulation_patch.c script that simulates the behaviour of the overflow and patches it with additional code that we wrote. Since developers at the Sudo project decided to fix the vulnerability flow instead of the code itself, we show a different approach and how it can be fixed with just a few lines of code.