A couple of days back, a serious heap-based buffer overflow has been discovered in sudo that is exploitable by any local user. It has been given the name Baron Samedit by its discoverer. The bug can be leveraged to elevate privileges to root, even if the user is not listed in the sudoers file. User authentication is not required to exploit the bug. It is commonly referred as CVE-2021-3156.
You can see it in action here that several security researchers have recorded.
Sudo versions 1.8.2 through 1.8.31p2 and 1.9.0 through 1.9.5p1 are affected.
Keep in mind: Unless the patches have been backported, as is the case for Ubuntu 18.04, in which case it may not need to be 1.9.5p2
USE WITH CAUTION : Open your terminal and use
sudo sudo -V to check your version number. See notes above for what versions are affected and read the note.
sudoedit -s / to detect if you are vulnerable.
You can also try:
sudoedit -s '\' `perl -e 'print "A" x 65536'`
bonyt from hackernews pointed out that macOS doesn't have sudoedit, but you can make a symlink to it, as sudo is effectively a multi-call binary:
ln -s `which sudo` sudoedit
and then call it:
Based on the response, It’s possible to understand if the host is vulnerable or not:
Vulnerable if responds an error starting with sudoedit:
sudoedit: /: not a regular file or
Not Vulnerable or patched if responds an error starting with
Falco is the CNCF open-source project for runtime threat detection for containers and Kubernetes.
You can use a rule to detect and prevent if a user attempts it.
pawan328 from hackernews pointed out that you can view this blog post for additional details.
sudo apt-get update sudo apt-get --only-upgrade install sudo
I have a video discussing this and showing all the methods shown above.
00:00 - Introduction
01:29 - What's a CVE?
02:22 - What's the bug?
05:30 - Exploit shown in action
13:07 - Sudo versions affected
13:48 - WSL Windows Subsystem for Linux
15:11 - Detecting if you are vulnerable through sudo (WSL)
19:21 - Detecting if you are vulnerable through sudo (Ubuntu)
20:53 - Detecting if you are vulnerable through commands
24:58 - What to do if you are running K8s or containers
27:54 - Examine Sudo versions
28:30 - Patching WSL
30:17 - Patching Ubuntu
32:09 - Where can I get exploit.c?
33:59 - Patching Ubuntu (part 2)
38:10 - Patching WSL (part 2)
46:35 - GitHub search results
47:28 - Patching WSL (part 3)
Stay connected with me on social platforms for security and software development news.