Baron Samedit
Last updated
Last updated
On January 26, 2021, the Qualys Research Team released a write-up on a heap overflow vulnerability in sudo that was later dubbed CVE‑2021‑3156, also known as Baron Samedit. This vulnerability allows any unprivileged user to gain root access on a system using an unpatched version of sudo.
In this module, you will learn how to exploit the Baron Samedit vulnerability.
CVSS Score: 7.8 HIGH
CVSS Vector: AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Recently you heard about a brand new privilege escalation exploit called Baron Samedit. You think that your system might be vulnerable but you are not sure.
You know that all legacy versions of sudo from 1.8.2 to 1.8.31p2
and all stable versions from 1.9.0 to 1.9.5p1
are affected by this bug. But does this apply to you or not?
Check sudo version:
apt-cache policy sudo
System is exploitable!
Now that you are sure you have an unpatched version of sudo installed, it is time to exploit the bug.
It has been discovered by security researchers that a command-line argument ending with a single backslash character can lead to a heap-based buffer overflow in the set_cmnd()
function of sudo. However, the condition is only met when the MODE_SHELL
flag and either the MODE_EDIT
or MODE_CHECK
flag are set, but the default MODE_RUN is not. Although setting all the right flags while running sudo seems impossible, researchers have identified a loophole. If you execute the sudoedit command instead of sudo (which technically runs the same binary), you can set all the necessary flags and overflow the heap-based buffer.
The exploit that has already been downloaded for you in the CVE-2021-3156/
directory on your desktop makes use of this technique to exploit the vulnerability.
make
./sudo-hax-me-a-sandwich
Note: 1 is our target number that match the sudo version
./sudo-hax-me-a-sandwich 1
apt-get update apt-get install sudo
Which version of sudo is installed on the desktop as reported by apt-cache?
What are the contents of the /root/flag.txt file?
1.8.31-1ubuntu1
9cbf95929f8ace5dcfc8326e0791fa83
Get root and retrieve the flag