Attacker Value
Very High
(4 users assessed)
Exploitability
Very High
(4 users assessed)
User Interaction
None
Privileges Required
Low
Attack Vector
Local
12

CVE-2021-3156 "Baron Samedit"

Disclosure Date: January 26, 2021
CVE-2021-3156 CVSS v3 Base Score: 7.8
Add MITRE ATT&CK tactics and techniques that apply to this CVE.
Execution
Techniques
Validation
Validated
Initial Access
Techniques
Validation
Validated
Privilege Escalation
Techniques
Validation
Validated

Description

Sudo before 1.9.5p2 has a Heap-based Buffer Overflow, allowing privilege escalation to root via “sudoedit -s” and a command-line argument that ends with a single backslash character.

Add Assessment

7
Ratings
  • Attacker Value
    Very High
  • Exploitability
    Very High
Common in enterpriseEasy to weaponizeGives privileged accessUnauthenticatedVulnerable in default configuration
Technical Analysis

Sudo is vulnerable to a local privilege escalation that enables any local user to gain root privileges. This is due to a heap-based buffer overflow when unescaping backslashes in the command’s arguments. This vulnerable code has been introduced in July 2011. According to the advisory, legacy versions from 1.8.2 to 1.8.31p2 and stable versions from 1.9.0 to 1.9.5p1 are vulnerable in their default configurations. Note that the local user password is not required to successfully exploit this vulnerability.

The exploitation is done by invoking “sudoedit -s” command to reach the vulnerable code and do an out-of-bounds write in heap memory. The security researchers were able to exploit this vulnerability and get a shell as root using 3 different methods. One of them, which seems to be the easiest and the most reliable, is demo’ed in this video.

I couldn’t find any PoC available, but there are enough technical details in the advisory to write an exploit. It is a critical bug and sudo should be patched immediately. It is very likely a working exploit will be publicly available soon.

Log in to Add Reply
CVSS V3 Severity and Metrics
Base Score:
7.8 High
Impact Score:
5.9
Exploitability Score:
1.8
Vector:
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector (AV):
Local
Attack Complexity (AC):
Low
Privileges Required (PR):
Low
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High

General Information

Offensive Application
Unknown
Utility Class
Unknown
Ports
Unknown
OS
Unknown
Vulnerable Versions
n/a
Prerequisites
Unknown
Discovered By
Unknown
PoC Author
Unknown
Metasploit Module
Unknown
Reporter
Unknown

References

Canonical
CVE-2021-3156 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3156)
Advisory
https://www.sudo.ws/stable.html#1.9.5p2
[oss-security] 20210126 Baron Samedit: Heap-based buffer overflow in Sudo (CVE-2021-3156) (http://www.openwall.com/lists/oss-security/2021/01/26/3)
GLSA-202101-33 (https://security.gentoo.org/glsa/202101-33)
DSA-4839 (https://www.debian.org/security/2021/dsa-4839)
FEDORA-2021-2cb63d912a (https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LHXK6ICO5AYLGFK2TAX5MZKUXTUKWOJY/)
FEDORA-2021-8840cbdccd (https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CALA5FTXIQBRRYUA2ZQNJXB6OQMAXEII/)
[oss-security] 20210127 Re: Baron Samedit: Heap-based buffer overflow in Sudo (CVE-2021-3156) (http://www.openwall.com/lists/oss-security/2021/01/27/1)
[oss-security] 20210127 Re: Baron Samedit: Heap-based buffer overflow in Sudo (CVE-2021-3156) (http://www.openwall.com/lists/oss-security/2021/01/27/2)
https://security.netapp.com/advisory/ntap-20210128-0002/
https://security.netapp.com/advisory/ntap-20210128-0001/
20210129 Sudo Privilege Escalation Vulnerability Affecting Cisco Products: January 2021 (https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sudo-privesc-jan2021-qnYQfcM)
VU#794544 (https://www.kb.cert.org/vuls/id/794544)
https://support.apple.com/kb/HT212177
20210211 APPLE-SA-2021-02-09-1 macOS Big Sur 11.2.1, macOS Catalina 10.15.7 Supplemental Update, and macOS Mojave 10.14.6 Security Update 2021-002 (http://seclists.org/fulldisclosure/2021/Feb/42)
https://kc.mcafee.com/corporate/index?page=content&id=SB10348
[oss-security] 20210215 Re: sudo: Ineffective NO_ROOT_MAILER and Baron Samedit (http://www.openwall.com/lists/oss-security/2021/02/15/1)
[debian-lts-announce] 20210126 [SECURITY] [DLA 2534-1] sudo security update (https://lists.debian.org/debian-lts-announce/2021/01/msg00022.html)
20210126 Baron Samedit: Heap-based buffer overflow in Sudo (CVE-2021-3156) (http://seclists.org/fulldisclosure/2021/Jan/79)
https://www.synology.com/security/advisory/Synology_SA_21_02
Exploit
Twitter PoC Announcement (https://twitter.com/kalmarunionenDM/status/1354902561833312258)
Another Twitter PoC Announcement (https://twitter.com/r4j0x00/status/1355489323794108417?s=20)
Miscellaneous
https://www.openwall.com/lists/oss-security/2021/01/26/3
http://packetstormsecurity.com/files/161160/Sudo-Heap-Based-Buffer-Overflow.html
http://packetstormsecurity.com/files/161230/Sudo-Buffer-Overflow-Privilege-Escalation.html
http://packetstormsecurity.com/files/161270/Sudo-1.9.5p1-Buffer-Overflow-Privilege-Escalation.html
http://packetstormsecurity.com/files/161293/Sudo-1.8.31p2-1.9.5p1-Buffer-Overflow.html
https://www.beyondtrust.com/blog/entry/security-advisory-privilege-management-for-unix-linux-pmul-basic-and-privilege-management-for-mac-pmm-affected-by-sudo-vulnerability

Additional Info

Authenticated
Unknown
Exploitable
Unknown
Reliability
Unknown
Stability
Unknown
Available Mitigations
Unknown
Shelf Life
Unknown
Userbase/Installbase
Unknown
Patch Effectiveness
Unknown
Technical Analysis

Description

On Tuesday, January 26, 2021, the Qualys Research Team published a blog post on CVE-2021-3156, a privilege escalation vulnerability in the sudo command that enables any local user to gain root privileges without using a password, even if the user is not listed in the sudoers file. The vulnerability arises from a heap-based buffer overflow when unescaping backslashes in a supplied command’s arguments. The vulnerable code was introduced in July 2011 and affects most Linux-based operating systems. See the project maintainers’ advisory on the vulnerability for further details.

Affected Products

According to the advisory, legacy versions of sudo from 1.8.2 to 1.8.31p2 and stable versions from 1.9.0 to 1.9.5p1 are vulnerable in their default configurations. Depending on the Linux distribution, the version number might be different. Please check the Guidance section for details.

Rapid7 analysis

CVE-2021-3156 is a local privilege escalation vulnerability, which means an attacker requires existing access to a target (such as through remote code execution) in order to exploit the bug. Exploitation is achieved by invoking the sudoedit -s command to reach the vulnerable code and perform an out-of-bounds (OOB) write in heap memory. Upon successful exploitation, the attacker would gain root access, resulting in full compromise of the system.

At the time of this writing, a crash PoC is available from Qualys. Rapid7 researchers have reliably reproduced the crash using the supplied PoC. The advisory contains enough technical detail to develop the PoC into an exploit. Researchers will have to bypass any memory protections in place, though the bug allows for a great amount of control over the OOB write, reducing the burden of exploitation. It is only a matter of time before exploits begin to surface.

Guidance

Rapid7 recommends that sudo users update to version 1.9.5p2 immediately. The legacy release stream 1.8.x has not yet received a critical bug fix for CVE-2021-3156. There is no effective mitigation for this vulnerability. Patched versions are listed below.

Official maintainer:

Linux distributions:

References