sudoÍâµØÌáȨÎó²î£¨CVE-2021-3156£©

Ðû²¼Ê±¼ä 2021-01-27

0x00 Îó²î¸ÅÊö

CVE  ID

CVE-2021-3156

ʱ   ¼ä

2021-01-27

Àà   ÐÍ

ȨÏÞÌáÉý

µÈ   ¼¶

¸ßΣ

Ô¶³ÌʹÓÃ

·ñ

Ó°Ïì¹æÄ£


 

0x01 Îó²îÏêÇé

image.png

 

SudoÊÇÒ»¸ö¹¦Ð§Ç¿Ê¢µÄ¹¤¾ß£¬ £¬£¬£¬ £¬ÆäÔÊÐíͨË×Óû§Ö´ÐÐrootȨÏÞÏÂÁ £¬£¬£¬ £¬´ó´ó¶¼»ùÓÚUnixºÍLinuxµÄ²Ù×÷ϵͳ¶¼°üÀ¨sudo¡£¡£¡£

2021Äê01ÔÂ26ÈÕ£¬ £¬£¬£¬ £¬sudo±»Åû¶±£´æÒ»¸ö»ùÓڶѵĻº³åÇøÒç³öÎó²î£¨CVE-2021-3156£¬ £¬£¬£¬ £¬¸ÃÎó²î±»ÃüÃûΪ¡°Baron Samedit¡±£©£¬ £¬£¬£¬ £¬¿Éµ¼ÖÂÍâµØȨÏÞÌáÉý¡£¡£¡£

µ±ÔÚÀàUnixµÄ²Ù×÷ϵͳÉÏÖ´ÐÐÏÂÁîʱ£¬ £¬£¬£¬ £¬·ÇrootÓû§¿ÉÒÔʹÓÃsudoÏÂÁîÀ´ÒÔrootÓû§Éí·ÝÖ´ÐÐÏÂÁî¡£¡£¡£ÓÉÓÚsudo¹ýʧµØÔÚ²ÎÊýÖÐתÒåÁË·´Ð±¸Üµ¼Ö¶ѻº³åÇøÒç³ö£¬ £¬£¬£¬ £¬´Ó¶øÔÊÐíÈκÎÍâµØÓû§£¨ÎÞÂÛÊÇ·ñÔÚsudoersÎļþÖУ©»ñµÃrootȨÏÞ£¬ £¬£¬£¬ £¬ÎÞÐè¾ÙÐÐÉí·ÝÑéÖ¤£¬ £¬£¬£¬ £¬ÇÒ¹¥»÷Õß²»ÐèÒªÖªµÀÓû§ÃÜÂë¡£¡£¡£

Çå¾²Ñо¿Ö°Ô±ÓÚ1ÔÂ26ÈÕ¹ûÕæÅû¶ÁË´ËÎó²î£¬ £¬£¬£¬ £¬²¢ÌåÏÖ¸ÃÎó²îÒѾ­Òþ²ØÁ˽üÊ®Äê¡£¡£¡£

 

Ó°Ïì¹æÄ£

Sudo 1.8.2 - 1.8.31p2

Sudo 1.9.0 - 1.9.5p1

 

²âÊÔϵͳÊÇ·ñÒ×ÊÜ´ËÎó²îÓ°Ï죺

1.   ÒÔ·ÇrootÓû§Éí·ÝµÇ¼ϵͳ¡£¡£¡£

2.   ÔËÐÐÏÂÁî¡°sudoedit -s /¡±

3.   ÈôÊÇ·ºÆðÒÔ¡° sudoedit£º¡±¿ªÍ·µÄ¹ýʧÏìÓ¦£¬ £¬£¬£¬ £¬ÔòϵͳÊܵ½´ËÎó²îÓ°Ï죻£»£»£»£»£»£»ÈôÊÇ·ºÆðÒÔ¡° usage£º¡±¿ªÍ·µÄ¹ýʧÏìÓ¦£¬ £¬£¬£¬ £¬ÔòÌåÏÖ¸ÃÎó²îÒѱ»²¹¶¡ÐÞ¸´¡£¡£¡£

 

 

0x02 ´¦Öóͷ£½¨Òé

½¨ÒéʵʱÉý¼¶sudoÖÁ×îа汾¡£¡£¡£

ÏÂÔØÁ´½Ó£º

https://www.sudo.ws/dist/

 

ÔÝʱ²½·¥£¨RedHat£©

1.×°ÖÃËùÐèµÄsystemtapÈí¼þ°üºÍÒÀÀµÏ

systemtap yum-utils kernel-devel-¡° $£¨uname -r£©¡±

RHEL 7×°ÖÃkernel debuginfo£ºdebuginfo-install -y kernel-¡° $£¨uname -r£©¡±

RHEL 8×°ÖÃsudo debuginfo£ºdebuginfo-install sudo

 

2.½¨ÉèÒÔÏÂsystemtap¾ç±¾£º£¨½«ÎļþÃüÃûΪsudoedit-block.stap£©

probe process("/usr/bin/sudo").function("main") {

        command = cmdline_args(0,0,"");

        if (strpos(command, "edit") >= 0) {

                raise(9);

        }

}

 

3.ʹÓÃÒÔÏÂÏÂÁî×°Öþ籾£º£¨Ê¹ÓÃroot£©

££nohup stap -g sudoedit-block.stap£¦

Õ⽫Êä³ösystemtap¾ç±¾µÄPID±àºÅ£¬ £¬£¬£¬ £¬¸Ã¾ç±¾½«µ¼ÖÂÒ×Êܹ¥»÷µÄsudoedit¶þ½øÖÆÎļþ×èÖ¹ÊÂÇ飬 £¬£¬£¬ £¬sudoÏÂÁîÈÔ½«ÕÕ³£ÊÂÇé¡£¡£¡£

×¢ÖØ£¬ £¬£¬£¬ £¬ÉÏÊö¸ü¸Ä»áÔÚÖØÆôºóʧЧ£¬ £¬£¬£¬ £¬±ØÐèÔÚÿ´ÎÖØÆôºóÖØÐÂÓ¦Óᣡ£¡£

 

4.Ò»µ©×°ÖÃÁ˲¹¶¡³ÌÐò£¬ £¬£¬£¬ £¬¾Í¿ÉÒÔͨ¹ýÖÕÖ¹systemtapÀú³ÌÀ´É¾³ýsystemtap¾ç±¾¡£¡£¡£ÀýÈ磬 £¬£¬£¬ £¬Í¨¹ýʹÓÃÒÔÏÂÏÂÁ £¬£¬£¬ £¬ÆäÖÐ7590ÊÇsystemtapÀú³ÌµÄPID¡£¡£¡£

££kill -s SIGTERM 7590

 

 

0x03 ²Î¿¼Á´½Ó

https://blog.qualys.com/vulnerabilities-research/2021/01/26/cve-2021-3156-heap-based-buffer-overflow-in-sudo-baron-samedit

https://access.redhat.com/security/cve/CVE-2021-3156

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3156

https://www.bleepingcomputer.com/news/security/new-linux-sudo-flaw-lets-local-users-gain-root-privileges/

 

0x04 ʱ¼äÏß

2021-01-26  QualysÅû¶Îó²î

2021-01-27  RedHatÐû²¼Ç徲ͨ¸æ

2021-01-27  VSRCÐû²¼Ç徲ͨ¸æ

 

0x05 ¸½Â¼

 

CVSSÆÀ·Ö±ê×¼¹ÙÍø£ºhttp://www.first.org/cvss/

image.png