How SUDO on Linux was HACKED! // CVE-2021-3156

How SUDO on Linux was HACKED! // CVE-2021-3156

2021-04-22

[public] 118K views, 9.8K likes, 38.0 dislikes audio only

The most comprehensive video covering the sudo vulnerability CVE-2021-3156 Baron Samedit. I spent two weeks on rediscovering, analysing and exploitation of the sudoedit heap overflow. We will talk about fuzzing, code review, exploit strategies, heap feng shui and developing the exploit.

https://liveoverflow.com/support

Article: https://liveoverflow.com/critical-sudo-vulnerability-walkthrough-cve-2021-3156/

Binary Exploitation Playlist: https://www.youtube.com/playlist?list=PLhixgUqwRTjxglIswKp9mpkfPNfHkzyeN

PwnFunction's Binary Exploitation Playlist: https://www.youtube.com/playlist?list=PLI_rLWXMqpSkAYfar0HRA7lykydwmRY_2

Full CVE-2021-3156 Advisory: https://packetstormsecurity.com/files/161160/Sudo-Heap-Based-Buffer-Overflow.html

Qualys Blog: https://blog.qualys.com/vulnerabilities-research/2021/01/26/cve-2021-3156-heap-based-buffer-overflow-in-sudo-baron-samedit

milek7's blog on fuzzing sudo: https://milek7.pl/howlongsudofuzz/

00:00 - Intro and Motivation

01:33 - afl: Fuzzing argv[]

03:22 - afl: sudo vs. sudoedit

04:27 - afl: Fuzzing setuid Process

06:49 - Fuzzing Conclusion

07:11 - Code Review: Identify Risky Code Through Isolation

09:39 - Code Review: Bypass Safe Conditions

11:15 - Exploit Strategy: Modern Mitigations

12:25 - The service_user Object Overwrite Technique

13:48 - Heap Feng Shui via Environment Variables

14:57 - Bruteforce Script to Find Exploitable Conditions

15:39 - Find and Analyse Useful Crashes

16:31 - Exploitability Analysis Conclusion

17:13 - Qualys Researchers Knew nss From Stack Clash

17:47 - Sudoedit Exploitable on macOs?

18:32 - Research Conclusion

19:27 - Outro

-=[ ❤️ Support ]=-

→ per Video: https://www.patreon.com/join/liveoverflow

→ per Month: https://www.youtube.com/channel/UClcE-kVhqyiHCcjYwcpfj9w/join

-=[ 🐕 Social ]=-

→ Twitter: https://twitter.com/LiveOverflow/

→ Website: https://liveoverflow.com/

→ Subreddit: https://www.reddit.com/r/LiveOverflow/

→ Facebook: https://www.facebook.com/LiveOverflow/

Intro and Motivation
/youtube/video/TLa2VqcGGEQ?t=0

afl: Fuzzing argv[]
/youtube/video/TLa2VqcGGEQ?t=93

afl: sudo vs. sudoedit
/youtube/video/TLa2VqcGGEQ?t=202

afl: Fuzzing setuid Process
/youtube/video/TLa2VqcGGEQ?t=267

Fuzzing Conclusion
/youtube/video/TLa2VqcGGEQ?t=409

Code Review: Identify Risky Code Through Isolation
/youtube/video/TLa2VqcGGEQ?t=431

Code Review: Bypass Safe Conditions
/youtube/video/TLa2VqcGGEQ?t=579

Exploit Strategy: Modern Mitigations
/youtube/video/TLa2VqcGGEQ?t=675

The service_user Object Overwrite Technique
/youtube/video/TLa2VqcGGEQ?t=745

Heap Feng Shui via Environment Variables
/youtube/video/TLa2VqcGGEQ?t=828

Bruteforce Script to Find Exploitable Conditions
/youtube/video/TLa2VqcGGEQ?t=897

Find and Analyse Useful Crashes
/youtube/video/TLa2VqcGGEQ?t=939

Exploitability Analysis Conclusion
/youtube/video/TLa2VqcGGEQ?t=991

Qualys Researchers Knew nss From Stack Clash
/youtube/video/TLa2VqcGGEQ?t=1033

Sudoedit Exploitable on macOs?
/youtube/video/TLa2VqcGGEQ?t=1067

Research Conclusion
/youtube/video/TLa2VqcGGEQ?t=1112

Outro
/youtube/video/TLa2VqcGGEQ?t=1167

I’m moving, no videos sorry 17,544 views
/youtube/video/9CS3q0uG1LI

Support liveoverflow.com
https://liveoverflow.com/support

Kernel Root Exploit via a ptrace() and execve() Race Condition 88,766 views
/youtube/video/qUh507Na9nk