Merge pull request #308 from JD2344/sudo-baron

Add sudo Baron Heap overflow

modules/vulnerabilities/unix/local/sudo_baron/manifests/install.pp

@@ -0,0 +1,26 @@
+class sudo_baron::install {
+  Exec { path => ['/bin', '/usr/bin', '/usr/local/bin', '/sbin', '/usr/sbin'] }
+
+  $secgen_parameters = secgen_functions::get_parameters($::base64_inputs_file)
+  $leaked_filenames = $secgen_parameters['leaked_filenames']
+  $strings_to_leak = $secgen_parameters['strings_to_leak']
+
+  file { '/tmp/sudo_1.8.19p1-2.1_amd64.deb':
+    ensure => file,
+    source => 'puppet:///modules/sudo_baron/sudo_1.8.19p1-2.1_amd64.deb',
+  }
+  -> package { 'downgrade sudo':
+    ensure   => installed,
+    provider => dpkg,
+    source   => '/tmp/sudo_1.8.19p1-2.1_amd64.deb'
+  }
+
+  # Leak a file containing a string/flag to /root/
+  ::secgen_functions::leak_files { 'sudo-baron-file-leak':
+    storage_directory => '/root',
+    leaked_filenames => $leaked_filenames,
+    strings_to_leak => $strings_to_leak,
+    leaked_from => "sudobaron",
+    mode => '0600'
+  }
+}

modules/vulnerabilities/unix/local/sudo_baron/secgen_metadata.xml

@@ -0,0 +1,68 @@
+<?xml version="1.0"?>
+
+<vulnerability xmlns="http://www.github/cliffe/SecGen/vulnerability"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="http://www.github/cliffe/SecGen/vulnerability">
+    <name>Sudo Baron Heap Overflow</name>
+    <author>James Davis</author>
+    <module_license>MIT</module_license>
+    <description>Sudo before 1.9.5p2 contains an off-by-one error that can result in a heap-based
+        buffer overflow, which allows privilege escalation to root via "sudoedit -s" and a
+        command-line argument that ends with a single backslash character.
+    </description>
+
+    <type>local_priv_escal</type>
+    <privilege>root_rwx</privilege>
+    <access>local</access>
+    <platform>linux</platform>
+    <difficulty>medium</difficulty>
+
+    <read_fact>strings_to_leak</read_fact>
+    <read_fact>leaked_filenames</read_fact>
+
+    <default_input into="strings_to_leak">
+        <generator type="flag_generator" />
+    </default_input>
+
+    <default_input into="leaked_filenames">
+        <generator type="filename_generator" />
+    </default_input>
+
+    <conflict>
+        <name>.*Stretch.*</name>
+    </conflict>
+    <conflict>
+        <name>.*Kali.*</name>
+    </conflict>
+    <conflict>
+        <name>.*Windows.*</name>
+    </conflict>
+    <conflict>
+        <name>.*Ubuntu.*</name>
+    </conflict>
+
+    <cve>CVE-2021-3156</cve>
+    <cvss_base_score>7</cvss_base_score>
+    <cvss_vector>AV:N/AC:L/Au:N/C:C/I:C/A:C</cvss_vector>
+    <reference>https://nvd.nist.gov/vuln/detail/CVE-2023-22809</reference>
+    <software_name>Sudo</software_name>
+    <software_license>Misc</software_license>
+
+    <CyBOK KA="MAT" topic="Attacks and exploitation">
+        <keyword>EXPLOITATION</keyword>
+        <keyword>EXPLOITATION FRAMEWORKS</keyword>
+    </CyBOK>
+    <CyBOK KA="SS" topic="Categories of Vulnerabilities">
+        <keyword>CVEs and CWEs</keyword>
+    </CyBOK>
+    <CyBOK KA="SOIM" topic="PENETRATION TESTING">
+        <keyword>PENETRATION TESTING - SOFTWARE TOOLS</keyword>
+        <keyword>PENETRATION TESTING - ACTIVE PENETRATION</keyword>
+    </CyBOK>
+    <CyBOK KA="AB" topic="Models">
+        <keyword>kill chains</keyword>
+    </CyBOK>
+    <CyBOK KA="MAT" topic="Malicious Activities by Malware">
+        <keyword>cyber kill chain</keyword>
+    </CyBOK>
+</vulnerability>

modules/vulnerabilities/unix/local/sudo_baron/sudo_baron.pp

@@ -0,0 +1 @@
+include sudoedit::install