Jan 29 2021 · 3 min read
Cmd Advisory: (Baron Samedit) Sudo Exploit CVE-2021-3156
By: Shashank Kittane Suryanarayana and Jake King
Sudo bug delivers an easy to exploit privilege escalation vulnerability for any system user.
In July of 2011, a privilege escalation vulnerability was added to the Linux sudo program (Versions Ubuntu 20.04 (Sudo 1.8.31), Debian 10 (Sudo 1.8.27), and Fedora 33 (Sudo 1.9.2) and lay dormant until researchers at Qualys identified it and published their findings in CVE-2021-3156 earlier this month.
How does CVE-2021-3156 operate?
The vulnerability takes advantage of a specific bug in the code that fails to properly handle strings that end with an unescaped trailing backslash in the string passed to the program, alongside another bug within the sudoedit binary (leveraging the same -s and -i flags) allowing the program to read beyond the last character of the string being passed in. This allows for chaining of a heap-based buffer overflow, allowing for the adversary to control the size and contents of the overflowed buffer.
In the video proof-of-concept from Qualys, a simple exploit is compiled to take advantage of the weakness, and run within a for-loop to defeat ASLR controls within the host system through a call to setuid, inevitably invoking a root shell.
Who is at risk from CVE-2021-3156?
While many of us limit shell access within systems we manage to those that are trusted in our organizations, any user with shell level access may exploit the vulnerability with little effort. At a glance, many adversaries that already have non-privileged entry points to environments may already have attempted to leverage CVE-2021-3156 within environments that they persist within.
The team at Cmd recommends system administrators apply patches for this vulnerability immediately. We also recommend reviewing system audit logs to observe any attempts to exploit this specific vulnerability within your organization, validating access to privileged accounts and actions if possible.
Detection and prevention techniques
At Cmd, we often identify patterns of abuse of root privileges on systems where users are granted privileged access through standard system defaults, or shared accounts access, but in this case many of our customers reached out to identify compensating controls that could be added through the use of the Cmd agent, both eBPF variants, and our enterprise control platform.
Cmd Control, Cmd Audit and Cmd Free
For Cmd customers, the following triggers provide detection and prevention capabilities for techniques that exploits like CVE-2021-3156 utilize to gain privileged permissions within your system :
Cmd – CVE-2021-3156 Passive Detection
cmd_user_typed = 'true' AND cmd_root = 'sudoedit' AND cmd_parameters = '*-s'
Cmd – CVE-2021-3156 Passive Detection (Non Interactive)
cmd_root = 'sudoedit' AND cmd_parameters = '*-s'
And a few extra policies to determine common persistence methods after exploitation has occurred:
Cmd – ATT&CK T1166 – Setuid and Setgid
( ( cmd_root = 'chmod' AND ( cmd_parameters = '4*' OR cmd_parameters = '2*' OR cmd_parameters = '*u+s*' OR cmd_parameters = '*g+s*' ) ) OR ( cmd_root = 'find' AND ( cmd_parameters = '2000*' OR cmd_parameters = '4000*' OR cmd_parameters = '6000*' OR cmd_parameters = '*u+s*' OR cmd_parameters = '*g+s*' ) ) )
Any modifications for sudoers should be monitored to avoid explicit elevation of privileges
( cmd_user_typed = 'true' AND session_interactive = 'true' AND cmd_root IN 'vi,vim,nano,cat,echo' AND cmd_parameters = ‘/etc/sudoers')
User Addition / Deletion / Group Modifications
( cmd_user_typed = 'true' AND session_interactive = 'true' AND cmd_root IN 'useradd,groupadd,usermod,userdel' )
Common Persistence Policies
( cmd_user_typed = 'true' AND session_interactive = 'true' AND cmd_root IN 'vi,vim,nano,cat,echo' AND session_login_user NOT IN 'exclude automated chef / deployment users' AND ( cmd_parameters = '*secure*' OR cmd_parameters = '*shadow*' OR cmd_parameters = '*sudoers*' OR cmd_parameters = '*passwd*' )
If you do not see these triggers in your environment, please reach out to have the latest Cmd trigger set deployed to your projects. You can also request a 15-minute session to walk through how to best detect and defend these kinds of threats in the future.
To activate your own account of Cmd Free to get system-wide visibility that can help discover interesting privilege escalation threats such as Baron Samedit, click here.