Linux Privilege Escalation

CVE-2021-3156 >

March 19, 2026

The post is still being written, or I'm just too lazy :v

Why pick sudo as a research target:

  • Widely use.
  • Large codebase -> more attack surfaces.
  • Actively being developed -> more code haven’t been audited -> more likely to be vulnerable.

Code to như vậy thì biết đọc bắt đầu từ đâu? Mình thử grey-box fuzzing với AFL++ xem?

AFL++ là stdin-based hoặc file-based fuzzing, nhưng sudo cần truyền arguments:

  • Qua google search, mình biết đc sử dụng argv-fuzz-inl.h, gọi AFL_INIT_ARGV() ngay đầu hàm main() để lấy input từ stdin, ghi đè vào argv[].
~/CVE-2021-3156/sudo-1.8.31p2/src$ wget https://github.com/AFLplusplus/AFLplusplus/raw/refs/heads/stable/utils/argv_fuzzing/argv-fuzz-inl.h
--- ./sudo-1.8.31p2/src/sudo.c	2020-06-12 06:14:53.000000000 -0700
+++ ./sudo-1.8.31p2/src/sudo.c	2021-03-16 06:32:56.655334720 -0700
@@ -68,6 +68,7 @@
 #include "sudo.h"
 #include "sudo_plugin.h"
 #include "sudo_plugin_int.h"
+#include "argv-fuzz-inl.h"
 
 /*
  * Local variables
@@ -134,6 +135,7 @@
 int
 main(int argc, char *argv[], char *envp[])
 {
+	AFL_INIT_ARGV();
     int nargc, ok, status = 0;
     char **nargv, **env_add;
     char **user_info, **command_info, **argv_out, **user_env_out;
  • Rồi mình instrument sudo với afl-gcc, mà xem build instruction đã:

![[images/image-1.png]]

cd /pwd/sudo-1.8.31p2
CC=afl-gcc ./configure --disable-shared
make
mkdir /tmp/in
mkdir /tmp/out
echo -en "-l\x00" > /tmp/in/1.testcase
afl-fuzz -i /tmp/in -i /tmp/out ./src/sudo
# define debug_decl_func(funcname)					       \
	const char *sudo_func = #funcname;
    // const char __func__[] = #funcname;
# define debug_decl_vars(funcname, subsys)				
~/CVE-2021-3156/sudo-1.8.31p2$ CC=afl-clang-fast ./configure --disable-shared
~/CVE-2021-3156/sudo-1.8.31p2$ make -j$(nproc)ls
~/CVE-2021-3156/sudo-1.8.31p2$ sudo chown root:root ./src/sudo
~/CVE-2021-3156/sudo-1.8.31p2$ sudo chmod 4755 ./src/sudo
~/CVE-2021-3156/sudo-1.8.31p2$ ls -la ./src/sudo
-rwsr-xr-x 1 root root 2120696 Mar 19 15:38 ./src/sudo
~/CVE-2021-3156/sudo-1.8.31p2$ mkdir /tmp/in
~/CVE-2021-3156/sudo-1.8.31p2$ mkdir /tmp/out
~/CVE-2021-3156/sudo-1.8.31p2$ echo -en "-l\x00" > /tmp/in/1
~/CVE-2021-3156/sudo-1.8.31p2$ echo core | sudo tee /proc/sys/kernel/core_pattern
~/CVE-2021-3156/sudo-1.8.31p2$ afl-fuzz -i /tmp/in/ -o /tmp/out ./src/sudo
Nimbuspwn > Linux LPE via Path Traversal and TOCTOU in networkd-dispatcher