Cmd.com will be migrated to Elastic.co shortly.
By: Shashank Kittane Suryanarayana and Jake King
Sudo bug delivers an easy to exploit privilege escalation vulnerability for any system user.
In July of 2011, a privilege escalation vulnerability was added to the Linux sudo program (Versions Ubuntu 20.04 (Sudo 1.8.31), Debian 10 (Sudo 1.8.27), and Fedora 33 (Sudo 1.9.2) and lay dormant until researchers at Qualys identified it and published their findings in CVE-2021-3156 earlier this month.
The vulnerability takes advantage of a specific bug in the code that fails to properly handle strings that end with an unescaped trailing backslash in the string passed to the program, alongside another bug within the sudoedit binary (leveraging the same -s and -i flags) allowing the program to read beyond the last character of the string being passed in. This allows for chaining of a heap-based buffer overflow, allowing for the adversary to control the size and contents of the overflowed buffer.
In the video proof-of-concept from Qualys, a simple exploit is compiled to take advantage of the weakness, and run within a for-loop to defeat ASLR controls within the host system through a call to setuid, inevitably invoking a root shell.
While many of us limit shell access within systems we manage to those that are trusted in our organizations, any user with shell level access may exploit the vulnerability with little effort. At a glance, many adversaries that already have non-privileged entry points to environments may already have attempted to leverage CVE-2021-3156 within environments that they persist within.
The team at Cmd recommends system administrators apply patches for this vulnerability immediately. We also recommend reviewing system audit logs to observe any attempts to exploit this specific vulnerability within your organization, validating access to privileged accounts and actions if possible.
At Cmd, we often identify patterns of abuse of root privileges on systems where users are granted privileged access through standard system defaults, or shared accounts access, but in this case many of our customers reached out to identify compensating controls that could be added through the use of the Cmd agent, both eBPF variants, and our enterprise control platform.
For Cmd customers, the following triggers provide detection and prevention capabilities for techniques that exploits like CVE-2021-3156 utilize to gain privileged permissions within your system :
cmd_user_typed = 'true' AND cmd_root = 'sudoedit' AND cmd_parameters = '*-s'
cmd_root = 'sudoedit' AND cmd_parameters = '*-s'
And a few extra policies to determine common persistence methods after exploitation has occurred:
( ( cmd_root = 'chmod' AND ( cmd_parameters = '4*' OR cmd_parameters = '2*' OR cmd_parameters = '*u+s*' OR cmd_parameters = '*g+s*' ) ) OR ( cmd_root = 'find' AND ( cmd_parameters = '2000*' OR cmd_parameters = '4000*' OR cmd_parameters = '6000*' OR cmd_parameters = '*u+s*' OR cmd_parameters = '*g+s*' ) ) )
( cmd_user_typed = 'true' AND session_interactive = 'true' AND cmd_root IN 'vi,vim,nano,cat,echo' AND cmd_parameters = ‘/etc/sudoers')
( cmd_user_typed = 'true' AND session_interactive = 'true' AND cmd_root IN 'useradd,groupadd,usermod,userdel' )
( cmd_user_typed = 'true' AND session_interactive = 'true' AND cmd_root IN 'vi,vim,nano,cat,echo' AND session_login_user NOT IN 'exclude automated chef / deployment users' AND ( cmd_parameters = '*secure*' OR cmd_parameters = '*shadow*' OR cmd_parameters = '*sudoers*' OR cmd_parameters = '*passwd*' )
If you do not see these triggers in your environment, please reach out to have the latest Cmd trigger set deployed to your projects. You can also request a 15-minute session to walk through how to best detect and defend these kinds of threats in the future.
To activate your own account of Cmd Free to get system-wide visibility that can help discover interesting privilege escalation threats such as Baron Samedit, click here.
Ramp up your Linux defense strategies
and see what you've been missing.