diff --git a/modules/vulnerabilities/unix/local/sudo_baron/files/sudo_1.8.19p1-2.1_amd64.deb b/modules/vulnerabilities/unix/local/sudo_baron/files/sudo_1.8.19p1-2.1_amd64.deb new file mode 100644 index 000000000..968d40dc8 Binary files /dev/null and b/modules/vulnerabilities/unix/local/sudo_baron/files/sudo_1.8.19p1-2.1_amd64.deb differ diff --git a/modules/vulnerabilities/unix/local/sudo_baron/manifests/install.pp b/modules/vulnerabilities/unix/local/sudo_baron/manifests/install.pp new file mode 100644 index 000000000..8cf11471b --- /dev/null +++ b/modules/vulnerabilities/unix/local/sudo_baron/manifests/install.pp @@ -0,0 +1,26 @@ +class sudo_baron::install { + Exec { path => ['/bin', '/usr/bin', '/usr/local/bin', '/sbin', '/usr/sbin'] } + + $secgen_parameters = secgen_functions::get_parameters($::base64_inputs_file) + $leaked_filenames = $secgen_parameters['leaked_filenames'] + $strings_to_leak = $secgen_parameters['strings_to_leak'] + + file { '/tmp/sudo_1.8.19p1-2.1_amd64.deb': + ensure => file, + source => 'puppet:///modules/sudo_baron/sudo_1.8.19p1-2.1_amd64.deb', + } + -> package { 'downgrade sudo': + ensure => installed, + provider => dpkg, + source => '/tmp/sudo_1.8.19p1-2.1_amd64.deb' + } + + # Leak a file containing a string/flag to /root/ + ::secgen_functions::leak_files { 'sudo-baron-file-leak': + storage_directory => '/root', + leaked_filenames => $leaked_filenames, + strings_to_leak => $strings_to_leak, + leaked_from => "sudobaron", + mode => '0600' + } +} diff --git a/modules/vulnerabilities/unix/local/sudo_baron/secgen_metadata.xml b/modules/vulnerabilities/unix/local/sudo_baron/secgen_metadata.xml new file mode 100644 index 000000000..c54c3c398 --- /dev/null +++ b/modules/vulnerabilities/unix/local/sudo_baron/secgen_metadata.xml @@ -0,0 +1,68 @@ + + + + Sudo Baron Heap Overflow + James Davis + MIT + Sudo before 1.9.5p2 contains an off-by-one error that can result in a heap-based + buffer overflow, which allows privilege escalation to root via "sudoedit -s" and a + command-line argument that ends with a single backslash character. + + + local_priv_escal + root_rwx + local + linux + medium + + strings_to_leak + leaked_filenames + + + + + + + + + + + .*Stretch.* + + + .*Kali.* + + + .*Windows.* + + + .*Ubuntu.* + + + CVE-2021-3156 + 7 + AV:N/AC:L/Au:N/C:C/I:C/A:C + https://nvd.nist.gov/vuln/detail/CVE-2023-22809 + Sudo + Misc + + + EXPLOITATION + EXPLOITATION FRAMEWORKS + + + CVEs and CWEs + + + PENETRATION TESTING - SOFTWARE TOOLS + PENETRATION TESTING - ACTIVE PENETRATION + + + kill chains + + + cyber kill chain + + \ No newline at end of file diff --git a/modules/vulnerabilities/unix/local/sudo_baron/sudo_baron.pp b/modules/vulnerabilities/unix/local/sudo_baron/sudo_baron.pp new file mode 100644 index 000000000..d972bceb0 --- /dev/null +++ b/modules/vulnerabilities/unix/local/sudo_baron/sudo_baron.pp @@ -0,0 +1 @@ +include sudoedit::install