sudo±¾µØÌáȨ·ì϶£¨CVE-2021-3156£©

°ä²¼¹¦·ò 2021-01-27

0x00 ·ì϶¸ÅÊö

CVE  ID

CVE-2021-3156

ʱ   ¼ä

2021-01-27

Àà   ÐÍ

ȨÏÞÌáÉý

µÈ   ¼¶

¸ßΣ

Ô¶³ÌÀûÓÃ

·ñ

Ó°ÏìÁìÓò


 

0x01 ·ì϶ÏêÇé

image.png

 

SudoÊÇÒ»¸öÖ°ÄÜ׳´óµÄ¹¤¾ß£¬£¬£¬£¬£¬£¬ÆäÔÊÐíͨ³£Óû§Ö´ÐÐrootȨÏÞºÅÁ£¬£¬£¬£¬£¬´óÎÞÊý»ùÓÚUnixºÍLinuxµÄ²Ù×÷ϵͳ¶¼Ô̺¬sudo¡£¡£¡£¡£¡£¡£¡£¡£

2021Äê01ÔÂ26ÈÕ£¬£¬£¬£¬£¬£¬sudo±»Åû¶´æÔÚÒ»¸ö»ùÓڶѵĻº³åÇøÒç¶Âí½Å£¨CVE-2021-3156£¬£¬£¬£¬£¬£¬¸Ã·ì϶±»¶¨ÃûΪ¡°Baron Samedit¡±£©£¬£¬£¬£¬£¬£¬¿Éµ¼Ö±¾µØȨÏÞÌáÉý¡£¡£¡£¡£¡£¡£¡£¡£

µ±ÔÚÀàUnixµÄ²Ù×÷ϵͳÉÏÖ´ÐкÅÁîʱ£¬£¬£¬£¬£¬£¬·ÇrootÓû§Äܹ»Ê¹ÓÃsudoºÅÁîÀ´ÒÔrootÓû§Éí·ÝÖ´ÐкÅÁî¡£¡£¡£¡£¡£¡£¡£¡£ÓÉÓÚsudoÃýÎóµØÔÚ²ÎÊýÖÐתÒåÁË·´Ð±¸Üµ¼Ö¶ѻº³åÇøÒç³ö£¬£¬£¬£¬£¬£¬´Ó¶øÔÊÐíÈκα¾µØÓû§£¨ÎÞÂÛÊÇ·ñÔÚsudoersÎļþÖУ©»ñµÃrootȨÏÞ£¬£¬£¬£¬£¬£¬ÎÞÐè½øÐÐÉí·ÝÑéÖ¤£¬£¬£¬£¬£¬£¬ÇÒ¹¥»÷Õß²»±ØҪ֪·Óû§ÃÜÂë¡£¡£¡£¡£¡£¡£¡£¡£

°²È«×êÑÐÈËÔ±ÓÚ1ÔÂ26ÈÕ¹«¿ªÅû¶ÁË´Ë·ì϶£¬£¬£¬£¬£¬£¬²¢°µÊ¾¸Ã·ì϶ÒѾ­°µ²ØÁ˽üÊ®Äê¡£¡£¡£¡£¡£¡£¡£¡£

 

Ó°ÏìÁìÓò

Sudo 1.8.2 - 1.8.31p2

Sudo 1.9.0 - 1.9.5p1

 

²âÊÔϵͳÊÇ·ñÒ×ÊÜ´Ë·ì϶ӰÏ죺

1.   ÒÔ·ÇrootÓû§Éí·ÝµÇ¼ϵͳ¡£¡£¡£¡£¡£¡£¡£¡£

2.   ÔËÐкÅÁî¡°sudoedit -s /¡±

3.   ÈôÊdzöÏÖÒÔ¡° sudoedit£º¡±¿ªÍ·µÄÃýÎóÏìÓ¦£¬£¬£¬£¬£¬£¬ÔòϵͳÊܵ½´Ë·ì϶ӰÏ죻 £»£»£»£»ÈôÊdzöÏÖÒÔ¡° usage£º¡±¿ªÍ·µÄÃýÎóÏìÓ¦£¬£¬£¬£¬£¬£¬Ôò°µÊ¾¸Ã·ì϶Òѱ»²¹¶¡½¨¸´¡£¡£¡£¡£¡£¡£¡£¡£

 

 

0x02 ´ëÖý¨Òé

½¨ÒéʵʱÉý¼¶sudoÖÁ×îа汾¡£¡£¡£¡£¡£¡£¡£¡£

ÏÂÔØÁ´½Ó£º

https://www.sudo.ws/dist/

 

һʱ´ëÊ©£¨RedHat£©

1.×°ÖÃËùÐèµÄsystemtapÈí¼þ°üºÍÒÀÀµÏ

systemtap yum-utils kernel-devel-¡° $£¨uname -r£©¡±

RHEL 7×°ÖÃkernel debuginfo£ºdebuginfo-install -y kernel-¡° $£¨uname -r£©¡±

RHEL 8×°ÖÃsudo debuginfo£ºdebuginfo-install sudo

 

2.´´½¨ÒÔÏÂsystemtap¾ç±¾£º£¨½«Îļþ¶¨ÃûΪsudoedit-block.stap£©

probe process("/usr/bin/sudo").function("main") {

        command = cmdline_args(0,0,"");

        if (strpos(command, "edit") >= 0) {

                raise(9);

        }

}

 

3.ʹÓÃÒÔϺÅÁî×°Öþ籾£º£¨Ê¹ÓÃroot£©

££nohup stap -g sudoedit-block.stap£¦

Õ⽫Êä³ösystemtap¾ç±¾µÄPID±àºÅ£¬£¬£¬£¬£¬£¬¸Ã¾ç±¾½«µ¼ÖÂÒ×Êܹ¥»÷µÄsudoedit¶þ½øÔìÎļþÖÕ³¡¹¤×÷£¬£¬£¬£¬£¬£¬sudoºÅÁîÈÔ½«ÕÕ³£¹¤×÷¡£¡£¡£¡£¡£¡£¡£¡£

°ÑÎÈ£¬£¬£¬£¬£¬£¬ÉÏÊö¸ü¸Ä»áÔÚ³ÁÆôºóʧЧ£¬£¬£¬£¬£¬£¬±ØÐëÔÚÿ´Î³ÁÆôºó³ÁÐÂÀûÓᣡ£¡£¡£¡£¡£¡£¡£

 

4.Ò»µ©×°ÖÃÁ˲¹¶¡·¨Ê½£¬£¬£¬£¬£¬£¬¾ÍÄܹ»Í¨¹ýÖÕÖ¹systemtap¹ý³ÌÀ´É¾³ýsystemtap¾ç±¾¡£¡£¡£¡£¡£¡£¡£¡£ÀýÈ磬£¬£¬£¬£¬£¬Í¨¹ýʹÓÃÒÔϺÅÁ£¬£¬£¬£¬£¬ÆäÖÐ7590ÊÇsystemtap¹ý³ÌµÄPID¡£¡£¡£¡£¡£¡£¡£¡£

££kill -s SIGTERM 7590

 

 

0x03 ²Î¿¼Á´½Ó

https://blog.qualys.com/vulnerabilities-research/2021/01/26/cve-2021-3156-heap-based-buffer-overflow-in-sudo-baron-samedit

https://access.redhat.com/security/cve/CVE-2021-3156

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3156

https://www.bleepingcomputer.com/news/security/new-linux-sudo-flaw-lets-local-users-gain-root-privileges/

 

0x04 ¹¦·òÏß

2021-01-26  QualysÅû¶·ì϶

2021-01-27  RedHat°ä²¼°²È«²¼¸æ

2021-01-27  VSRC°ä²¼°²È«¹«¸æ

 

0x05 ¸½Â¼

 

CVSSÆÀ·Ö³ß¶È¹ÙÍø£ºhttp://www.first.org/cvss/

image.png