<div id="top"></div>
<br />
<div align="center">
  <a href="">
    <img src="" alt="Logo" width="150" height="150">

  <h1 align="center">CVE-2021-3156</h1>

  <p align="center">
    Visualization, Fuzzing, Exploit and Patch of Baron Samedit Vulnerability
    <br />
    <a href=""><strong>See report »</strong></a>
    <br />
    <br />
    <a href="">Francesco Marchiori</a>
    <a>Alessandro Lotto</a>

  <summary>Table of Contents</summary>
      <a href="#introduction">Abstract</a>
      <a href="#visualization">Visualization</a>
      <a href="#fuzzing">Fuzzing</a>
      <a href="#exploit">Exploit</a>
      <a href="#patch">Patch</a>

<div id="introduction"></div>

## 🧩 Abstract

Any Unix-based Operating System is equipped with the sudo command that allows for a temporary root privileges escalation for those users that are expected to do so. Sudo offers then a critical functionality that if abused may lead to the compromise of the security and reliability of the system itself. Because of its importance within the Operating System, sudo’s source code is subject to frequent testing and code reviews. These have led to discover a heap-based overflow vulnerability, named as CVE-2021-3156, that surprisingly has been hidden for almost 10 years. Neither fuzzing techniques, one of the most used techniques for bug and vulnerability discovery, allowed to spot out it before. In this paper, we analyze in detail the CVE-2021-3156 sudo vulnerability, starting from the buffer overflow vulnerability up to how it can be exploited in order to gain a root shell even being a non-privileged user or not being allowed to use the sudo command.

<div id="visualization"></div>

## 🖼️ Visualization

In the [`Visualization`]( directory there are a couple of script that we used to visualize how arguments are parsed with or without backslash characters and to analyze how environment variables affect the heap layout, in order to further understand the structure of the proposed exploit.

<div id="fuzzing"></div>

## 🔍 Fuzzing

In the [`Fuzzing`]( directory there are the files needed to perform fuzzing on the vulnerable version of sudo. It's also reported how to be able to fuzz and how to solve the problems that prevent [AFL]( to work out-of-the-box, thus explaining how the vulnerability has been hidden for almost 10 years.

<div id="exploit"></div>

## ⚔️ Exploit

In the [`Exploit`]( directory there are the filed needed to perform the attack on another vulnerable version of sudo. We exploit memory population through environment variables to perform heap feng shui and overwrite the name of the `service_user` object, in order to execute our own code instead of loading a library.

<div id="patch"></div>

## 🛡️ Patch

In the [`Patch`]( directory there is an [`overflow_simulation_patch.c`]( script that simulates the behaviour of the overflow and patches it with additional code that we wrote. Since developers at the Sudo project decided to fix the vulnerability flow instead of the code itself, we show a different approach and how it can be fixed with just a few lines of code.

<p align="right"><a href="#top">(back to top)</a></p>