CVE-2021-3156 crash log process_hooks_getenv() ?

Question

CVE-2021-3156 crash log process_hooks_getenv() ?

Closed this issue 4 years ago · 5 comments

Hello,

I'm trying to code my own exploit.
Tested fuzzy.py ... but I can't find an interesting crash...
Find a crash in set_cmnd() .. but no crash in nss_load_library() or process_hooks_getenv()...
Maybe set_cmnd() is a good way .. but I don't find a way to control R15 ..

Any idea ?

For info I'm using:
Linux my-box 5.8.0-41-generic #46~20.04.1-Ubuntu SMP Mon Jan 18 17:52:23 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
Sudoers I/O plugin version 1.8.31

Any options to compile sudo 1.8.31 ? I've used --env-debug with ./configure.

Thanks for your help.

lockedbyte commented 4 years ago

Directly

Answer 1 · 2021-01-30T15:35:45.000Z

Hi,

Try out this modified version of the fuzz: https://github.com/lockedbyte/CVE-Exploits/tree/master/CVE-2021-3156/fuzz2

Answer 2 · 2021-01-30T19:37:28.000Z

Hi,

Thank you for you help ;)

Tested fuzz2.py with argv[1] = 10000 but no crash in process_hooks_getenv() or nss_load_library()

/usr/bin/sudoedit (sudo 1.8.31 orig from ubuntu 20.04.1)

0x0(%rbp),%rsi
0x3ec(%rax),%rax
<__GI___libc_malloc+286>: mov
<__GI_raise+203>: mov
<__GI___tsearch+35>: mov
<__memcmp_avx2_movbe+371>: movzwl (%rsi),%ecx
(%r15),%eax
(%rax),%edx
%rax,(%rbx)
(%rsi),%xmm2
<__strcasecmp_l_avx+252>: vmovdqa (%rsi),%xmm1
<__strcasecmp_l_avx+73>: vmovdqu (%rsi),%xmm2
<__strcmp_avx2+30>: vmovdqu (%rdi),%ymm1
<__strcmp_avx2+34>: vpcmpeqb (%rsi),%ymm1,%ymm0
<__strcmp_avx2+887>: vmovdqu (%rdi,%rdx,1),%ymm1
<__strcmp_avx2+933>: vmovdqu (%rdi,%rdx,1),%xmm1
<__strcmp_avx2+972>: vmovq (%rdi,%rdx,1),%xmm1
<__strlen_avx2+21>: vpcmpeqb (%rdi),%ymm0,%ymm1
<__tzstring+59>: mov
<unlink_chunk+15>: cmp

/usr/local/bin/sudoedit (compiled sudo 1.8.31):

<__GI_raise+203>: mov
<__GI___tsearch+35>: mov
<__memcmp_avx2_movbe+371>: movzwl (%rsi),%ecx
<rbdestroy_int+67>: mov
<__strcasecmp_l_avx+73>: vmovdqu (%rsi),%xmm2
<__strcmp_avx2+30>: vmovdqu (%rdi),%ymm1
<__strcmp_avx2+34>: vpcmpeqb (%rsi),%ymm1,%ymm0
<__strcmp_avx2+887>: vmovdqu (%rdi,%rdx,1),%ymm1
<__strlen_avx2+21>: vpcmpeqb (%rdi),%ymm0,%ymm1
<sudoers_io_open+801>: movzbl (%rax),%edx
<sudoers_policy_main+3392>: movzbl (%r15),%eax
<__tzstring+59>: mov
<unlink_chunk+15>: cmp

For information I've just installed my Ubuntu 20.04.1 .. no updates installed...

Answer 3 · 2021-01-31T11:11:17.000Z

Hi,

It may take some time to get the crash...
Leave it some more time.

I also uploaded to this repo the nss_load_library() crashes the fuzz got.

Run them with env -i to just load the specified environment variables in the gdb source file

Answer 4 · 2021-01-31T11:14:32.000Z

Ok I will try :)

You debuged it directly on /usr/bin/sudoedit or with a compiled version ?