Contents

Baron Samedit

CVE-2021-3156 Caught my eye this week! It’s a heap-based buffer overflow affecting versions prior to 1.9.5p2, allowing local privilege escalation to root via sudoedit -s and a command that ends with a single backslash character.

I want to take the time to understand this one in depth.

Comprehension

As a starting point, I looked up the CVE Disclosure. And then the currently most linked to article about the issue Qualys Blog.

I’m essentially just re-writing that last blog post there so I can put it in my own words and fully understand.

Source

If sudo is executed to run a command in “shell” mode, or through the -i option,

if (ISSET(mode, MODE_RUN) && ISSET(flags, MODE_SHELL)) { 
    char **av, *cmnd = NULL; 
    int ac = 1;

at the beginning of Sudo’s main(), parse_args() rewrites argv…

    av[0] = (char *)user_details.shell; /* plugin may override shell */ 
    if (cmnd != NULL) { 
        av[1] = "-c"; 
        av[2] = cmnd; 
    } 
    av[ac] = NULL; 

    argv = av; 
    argc = ac; 
} 

…by concatenating all command-line arguments, escaping all meta-characters with backslashes.

for (av = argv; *av != NULL; av++) { 
    for (src = *av; *src != '\0'; src++) { 
        /* quote potential meta characters */ 
        if (!isalnum((unsigned char)*src) && *src != '_' && *src != '-' && *src != '$') 
            *dst++ = '\\'; 
        *dst++ = *src; 
    } 
    *dst++ = ' '; 
} 

Later, in sudoers_policy_main(), set_cmnd() concatenates the command-line arguments into a heap-based buffer “user_args” and unescapes the meta-characters “for sudoers matching and logging purposes.”

for (to = user_args, av = NewArgv + 1; (from = *av); av++) { 
    while (*from) { 
        if (from[0] == '\\' && !isspace((unsigned char)from[1])) 
            from++; 
        *to++ = *from++; 
    } 
    *to++ = ' '; 
}

Here’s the buffer allocation logic:

for (size = 0, av = NewArgv + 1; *av; av++) 
    size += strlen(*av) + 1; 
if (size == 0 || (user_args = malloc(size)) == NULL) { 

The Vulnerability

Let’s take a closer look at the line that un-escapes the arguments.

If one of the command-line arguments end’s with a backslash, then from[0] is the backslash character and from[1] is the argument’s null terminator:
if (from[0] == '\\' && !isspace((unsigned char)from[1]))

Then, from is incremented and now points to the null character:
from++;

On the next line, the null terminator is copied to the user_args buffer, and from is incremented again and now points to the first character after the null terminator (from pointer is out of bounds now):
*to++ = *from++;

Finally, the while loop reads and copies out-of-bounds characters to the user_args buffer, completing the heap-based overflow vulnerability.

The Exploit Vector

In theory this vulnerable code is not a concern. If MODE_SHELL or MODE_LOGIN_SHELL is set (required for reaching the vulnerable piece of code), parse_args() executes and all command-line arguments should have already been escaped with a single bashslash character:
dst++ = '\\';

In reality, there is a slightly different set of conditions between parse_args (the shell escape code) and set_cmnd (the vulnerable code):

/* set_cmnd() */
if (sudo_mode & (MODE_RUN | MODE_EDIT | MODE_CHECK)) { 
... 
    if (ISSET(sudo_mode, MODE_SHELL|MODE_LOGIN_SHELL)) {
/* Versus parse_args() */
if (ISSET(mode, MODE_RUN) && ISSET(flags, MODE_SHELL)) {

So, we want to set MODE_SHELL and either MODE_EDIT or MODE_CHECK, but not MODE_RUN. This isn’t normally possible. If we set MODE_EDIT or MODE_CHECK, then parse_args removes MODE_SHELL from “valid_flags” and exits with an error.

However, Qualys found a loophole!

If you execute sudo as sudoedit instead of sudo, then parse_args automatically sets MODE_EDIT, but does not reset “valid_flags” which includes “MODE_SHELL” by default:

127 #define DEFAULT_VALID_FLAGS     (MODE_BACKGROUND|MODE_PRESERVE_ENV|MODE_RESET_HOME|MODE_LOGIN_SHELL|MODE_NONINTERACTIVE|MODE_SHELL) 
... 
     int valid_flags = DEFAULT_VALID_FLAGS; 
... 
     proglen = strlen(progname); 
     if (proglen > 4 && strcmp(progname + proglen - 4, "edit") == 0) { 
         progname = "sudoedit"; 
         mode = MODE_EDIT; 
         sudo_settings[ARG_SUDOEDIT].value = "true"; 
     }

Therefore, executing sudoedit -s allows us to escape the escape code and reach the vulnerable code, overflowing the heap-based buffer “user_args”:

$ sudoedit -s '\' `perl -e 'print "A" x 65536'` 
malloc(): corrupted top size 
Aborted (core dumped) 
Directory
$ cd content && tree