Patch sudo NOW! CVE-2021-3156
Key Takeaways
The video discusses the CVE-2021-3156 vulnerability in sudo, a heap exploitation or heap buffer overflow that affects all versions of sudo, and provides steps to patch the vulnerability by updating to version 1.9.5p2. Tools such as sudo, wget, tar, and gzip are used to download and apply the patch.
Full Transcript
hey what's up everybody my name is john hammond so if you have been living under a rock for the past day and day and a half yesterday two days ago uh there is a new cve cve 2021 a 3156 that affects all the versions of sudo that we tend to know and use right now in the modern world so pseudo right the command that you use to run escalated commands or escalate your privileges and run a command as root or the super user super user do sudo on linux now it is a heap exploitation or a heap buffer overflow and i don't particularly consider myself a guy that's pretty sharp or smart on binary exploitation or reverse engineering but my good friend caleb is he's pretty sharp on that stuff so i kind of wanted to pick his brain i want to chat with him and i kind of want to get his hot take on what this thing is so this video is showcasing that conversation with him he's still kind of poking at it tinkering with it trying to follow in the steps of the koalas researchers because koalas the company that released and found this information found this bug in this flaw they did not release exploit code with that or proof of concept of poc that's totally cool that's totally understandable right it's probably a good move since there aren't a lot of patches rolled out already this is kind of breaking news and maybe we don't want to put that in potentially bad hands but obviously right a lot of us red teamers a lot of us security researchers are kind of curious and are kind of wondering hey can i play long can i look at this uh can i get a poc or a pocket just as well um so caleb's off to the races and uh we'll tune in with him maybe later hopefully if he gets a little bit more traction but he's still kind of out of wall anyway i wanted to put this out so maybe you could get a little bit of a bigger picture on what this thing is and you could learn a little bit more about it so uh before we dive in i do want to maybe walk through how we could patch this thing so i'll roll through some patching footage before we get into the video conversation with caleb but i'll try to include timestamps in the bottom of this or in the description of this video so you can kind of click around and navigate to what you might want to see anyway let's get to it alrighty so i am at my terminal i'm over here in my temporary directory and if i were to go ahead and run a command i'll just run sudo tactac version to see what version i'm running on and i am currently running on 1.8.31 now we know this version is affected by this bug by this vulnerability by the cve so it's kind of up to us the onus is on us to go ahead and update i'm more than positive this has already been rolled out to a lot of distribution repositories i'm pretty sure debian's got it so ubuntu's got it red hat centos uh arch obviously anything that's kind of a rolling release like on the bleeding edge right they've got this stuff already kind of locked in but if you don't or if you don't want to go work through the notion of getting it through the repositories go grab it from the source go grab it from the sudo main online official page you can see that they do have this new current stable release pseudo 1.9.5 p2 released on january 26 2021 and this is the patch version so that pseudo cve will not take effect here if you go up over to the download page you can see they've got a tar gzip file that you can go ahead and download i'll go ahead and copy that link and i'll hop back over here so i can run a wget and download this now this will take a little bit of time to run it is uh you know a decently sized package i also apparently already have that in my current directory so there is a dot one here forgive me this is kind of just for the demonstration's sake but uh this is what i would recommend anyone go do if you want a patch i've tweeted about this so i'll include that little tweet here uh you can go take a look at that but now that that is downloaded i can go ahead and ls see that it is in my current directory and i'll go ahead and tar extract it with x to extract v for verbose z because it's going to be a gzip or a gunzip file and f to specify the file i'll auto complete that pseudo path here and it'll go ahead and decompress extract all of that i can hop into that directory now and i should have all the files necessary to build this from source and go ahead and install it on my own machine so that command syntax is super simple just run dot slash configure to get your machine prepped and ready for it and it'll take a little bit of time to go through make sure you've got all the files that you need grab all the header information so that it can poop out a make file and then you can go ahead and make and make install it feels a little wonky running sudo make install to install sudo but you got to do it you got a patch and i would recommend you do this right away okay now that that has configured i can go ahead and run make and i will and and sudo make install with that and i'll whack that it will go ahead and compile and install it into the proper directories for my system so then the next time i run pseudotact version i will no longer see 1.8.31 or whatever it was now i'm going to be running on that 1.9.5 p2 as we know the patched version so that's just a quick all the commands you need to go ahead and patch and then you can trust that your machine is safe and secure do this do it patch update hotfix it's got to be done okay now that command has finished it has installed it so if i were to clear my screen and if i were to run sudo tactac version now i will still see the 1.8.31 but keep in mind your terminal kind of has to be restarted so the quick way to do this just as a sanity check as you're working with it you could just run bash taxi and then go ahead and pseudo tact version now you'll see the output hey you're running 1.9.5 p2 if you were to spawn a new terminal right here i am in a new window i'll bring that up to full screen obviously a pseudo tactic version in that context will tell me we are on the latest stable up-to-date and patched version of sudo cool all right now that that's out of the way let's get nerdy let's do a little deep dive with my good friend caleb as to what this koala's article and what all the news are all about with this bug and how it works and we'll talk a little bit about how we could be fuzzing it or also trying to find this vulnerability on our own he's still working through it but we'll keep you up to date in case we find anything new so roll the clip all right so uh we're gonna talk about the cv 2021 3156 uh it's a heap overflow in sudo i have the actual qualis is the company that released the uh vulnerability initially today i guess this article was posted yesterday um and it's really cool because basically you can trigger the vulnerability really easily with a short command at your terminal um and so it's cool to be able to see something like a heap overflow that you can just like show that it works right away from the terminal um the actual exploitation that is more complicated and they don't go over exactly how to do it probably for security reasons they don't want to just release that before people have a chance to patch it yeah but there are some details out there about what they did to find it how they fuzzed that a little bit and then a little bit of detail about the different routes they used for uh actually exploiting it to get rce um so that's pretty cool i just wanted to quickly go through kind of what the article talks about i'm not gonna read the whole thing obviously um but basically it affects pretty much any pseudo version since 2011 yeah it just affects pseudo yeah it does the patch was released i believe yesterday the day before is that correct um if i recall correctly it probably says near somewhere i think it was yesterday the day before um but uh yeah so update your sudo if you haven't um but it affects basically every single operating system that uses sudo so if you're on ubuntu if you're on demand if you're on fedora if you're on scent whatever i'm on arch it affects me if you have sudo the bug is there um i guess we can actually start off by just showing it um working like showing it crashing um which is kind of a cool little thing so if i go uh sudo actually if i go um could you zoom in a little bit more so it's obnoxious yeah sorry now you're fine um pseudo edit i think um so sudo edit and we'll go over why exactly is pseudo edit not pseudo in a second but just like a kind of a cool little start off like this is it actually working um so the fundamental bug is that it's not processing escaped characters correctly so we give it an escape character um and then you can give it an already make sure you give it other things so uh we give it a bunch of stuff for its buffer and this all happens during the processing of the arguments um so it doesn't matter what the arguments are and it doesn't matter if you're in the pseudo pseudoers file it doesn't matter what user you are it is a bug in the pseudo-binary itself prior to all of that happening so none of that matters and you can see right here um it died we had mallet corrupted top size abort blah blah blah basically what that means is we overflowed something to the heap um malik later after we overflowed that um pseudo attempted to allocate something in the heap and malik said wait a second this is all messed up like the the actual structures that malek uses to track all of the data that you've allocated have now been corrupted and mallet basically killed the application because it said i can't trust anything in memory anymore and we're going to leave so that's just a quick that is it working on my actual machine i just haven't updated yesterday so that's my actual machine and it's working hey uh sorry quick pivot i just wanted to showcase if you're running that test or doing that check now that we've patched it right running that exact same command syntax using sudo edit and then tak s and denoting that you're going to use an escape character it will no longer cause that malik choke it'll simply tell you hey here's the actual usage of pseudo elliot and that is what you can end up using to kind of determine hey is your system vulnerable or are you currently patched are you on a good version so that's that now we'll get back to the good stuff thanks um so that's pretty cool that you can just test it or like see it working like that um as far as what it actually or why it actually works that way um basically uh sudo does a bunch of processing they end up taking all of your command line arguments in which come into the application of the program as an array of strings so every single argument you pass is a string on its own and depending on the mode that sudo is in it might actually combine all of those individual arguments back into one long string the problem with that is that then you have issues of okay well what if one argument had a space in it what if one argument had this other special character and that kind of thing in order to handle that pseudo takes all of the arguments individually and combines them together with spaces in the middle to make a normal string like you type in the shell and then it has to go through and escape special characters like spaces when it does that converting to that and then converting back if you had a lone backslash in there with nothing after it it gets confused because it thought that was actually it thought there was supposed to be another character after that thought you were trying to escape something like you would normally do maybe a backslash space as a specific example to this if you did a backslash space what that would mean is hey i don't want to put a space as in separating two arguments i want to put an actual space in this current argument so it's looking for that next character and what happens is pseudo misinterprets the next character which is actually the null terminator of that string and misinterprets that and thinks that that is supposed to be an escaped character and then keeps processing things because it didn't notice the null terminator that's what's happening there and causing that overflow um and this article goes into some details about how you trigger it and why it's hard to get there it comes down to basically um let me find that exact block um i believe it's this one um so they check this pseudo mode it has to pass this check in order to get to the part that does that uh escaped character processing in order to set all of those settings there's no way to trigger that normally but what they realized was you could trigger that set of options because of some uh some logic bugs in the process if you ran sudo edit sudo edit is actually the same binary as sudo it's just a sim link what sudo does is it checks to see if r v zero so like the first argument which normally is the name of the process that's running it checks to see if that is pseudoedit and it does one thing if it's pseudoedit does something else if it's sudo they're both the same binary so when you run and they also process arguments the same way when you run sudo edit you're still running sudo but it sets one specific flag that you needed it doesn't reset another one that should have been reset and then you because they use the same argument processing are allowed to pass tack s which actually sets the last flag that you needed that that all relates back to these flags that they're talking about here and i'm not going to go through every single code block they have here because that would be monotonous um but that is basically why you have to run pseudoedit um so as you saw i ran to edit attack s which like i said that attack s gives us that last flag that it needs to get into that block of code to process those arguments after that we don't really care what pseudoedit is supposed to do it's going to crash before it gets there that's a really really quick rundown of how it works so once now that we have that like baseline of how we got here at this point it's just a buffer over or it's just a yeah buffer overflow uh in the heap um we have to figure out how exactly we can use that he exploits are traditionally uh obnoxiously complicated they make my head hurt um because there's a lot of links um basically the heap if you if you've never looked into it before is kind of like basically a linked list so every single piece of memory that you allocate has a header at the beginning of it and that header tells the the allocator or malloc is what you usually use it tells malik and free how long the next block of memory is so for every piece of memory you allocate you have a header that says hey this is how long this block is and the way it finds the next block is it just adds however much that size says it is to that pointer and then you get to the next block so it's a linked list in that way there's some other pieces in there that make it more complicated like there are special values that have to line up if the pointers for the backward references don't line up with the forward references that gets all funky um and so there's security checks in there that make it very difficult to exploit keep base buffer overflows um but what's kind of interesting about this and they go into it here um is that basically they went through and they said okay we have this heap exploit what we would like to do is they wanted to reuse an old method of heap exploitation because they were like oh this is just basic heap overflow we could reuse this method and apply it here and maybe get code execution um and they go into that actually it's interesting i was talking with john a minute ago about this the actual qualis blog article um stops here so they talk about this and they say hey you know after your arguments the thing immediately following your arguments and memory ends up being your environment variables um so you can actually continue the overflow through the environment variables which is useful and so they give an example here where uh they do a similar thing that i did where they had the the one two three whatever those those numbers during letters don't matter then after that happened it then continued copying characters from the environment so you see down here um you have your one two three four five six seven eight all this stuff that you had here where this slash is it actually escaped the null character and this dot is your null character and then you have your a a equals which is here um a and you can actually insert null bytes into the buffer so you can actually use no lights which is not always the case for buffer overflows um you can actually insert null bytes with escape characters so they showed that example here they have a a equals a and then a null byte and then b equals b just like you see here so all the way down the line you can continue that overflow through the environment variables um this is where this article on qualis actually ends interestingly uh this page from uh packet storm security as from what i can tell the same content in a little bit different format um but if you look at the actual content it appears to be the same um as far as the description of the vulnerability and these code blocks all these types of things but when you get down to a similar part right after they do that same thing with this overflowing with the environment that you see here um this article ends and packet security goes into some more detail about how they did their uh fuzzing to find the actual or the specific way that they could leverage this vulnerability to gain code exclusion so it's kind of interesting i like this article it goes through some cool details they talk about how they wanted to use basically part of the locale they wanted to modify the locale which allowed them to use that other thing i was talking about so they mentioned uh half dogs technique from this link which you can go look up um had you done any digging on that one did you kind of make any sense again i haven't actually gone into that to be honest with you i have focused on their first result which actually from all indications of this seems like a much simpler way to do it if i can find the right parameters um but they did it by accident so finding those right parameters is going to be annoying um i haven't looked into it to be honest but they were apparently trying to replicate that it has something to do with set locale and i haven't gotten all the way into the weeds on that yet um moral of the story is that they developed this fuzzer that was going to fuzz the lc environment variable because they were doing stuff with the locale uh it was also going to fuzz the size of the user args buffer which is basically the argument that you passed in um and then it was going to overflow and the the size of how much you were going to overflow into that um pretty sounds pretty straightforward as far as fuzzing overflows go um and then they ran that buzzer uh like they said they weren't able to get the outcome they wanted because apparently the locale was forced for some reason is what they talked about here it was always set to see instead of obeying what they were trying to set it to um so their method wasn't working however in the output of all of their crashes because they crashed sudo a ton of times while they were fuzzing this they found some interesting results and i think the first one to me is the most interesting because it's just like i want to say coincidence but it's such a straightforward like if you can get this then like basically done um a during their fuzzing they realized that at some point they accidentally overwrote and it's a function pointer not only did they accidentally overrate a function pointer the function pointer they overwrote all of the arguments that get passed to that function are valid arguments for exec ve what that means is if all they really have to do is instead of in this case um they overwrote the function pointer with a bunch of a's 41 41 4141 um and that caused a crash but if they control this which they do because they send a bunch a's they could set this theoretically to the address of the exec ve function function that is supposed to be getting called is this git env which they talk about here what the actual arguments to that function are it ends up being the name of the environment variable a pointer to a pointer for the value like pointer to a pointer to a pointer for the value um and then this closure thing that is supposed to be a callback and they talk about those arguments and they actually line up really well with what exec v is expecting the name that gets passed in is an environment variable name but if we were to create this is the actual thing that gets passed in if we were to create an executable within our path that was named that doesn't matter where it is just create it somewhere and then we ran exec ve or forced this pseudo to run exit ve it would run this binary even though we didn't create that like we we didn't make that name sudo was trying to call gideon v with that name but if we made that executable on our path that would work um and then it talks about how these these values of these arguments happen to line up um it's a pointer to a null pointer which lines up with exec v's rv argument and then the closure is actually a null pointer itself which lines up with exit v's environment pointer basically you can you can pass an empty rv array and you can pass no environment and exactly it's fine with it which happens to be what this is doing um so it's it's kind of like kind of like a fluke and i think it's really cool yeah i think it's really cool that it just kind of like lined up that way i spent this afternoon trying to find um arguments that would end up with this crash i was not successful um i keep playing with it i i wanted to uh compile sudo with debug symbols and then just start playing with the crash in gdb uh and trying to look for the values that are actually in these hooks see when i start overwriting them um instead of blindly doing it like they did because that could either take a lot of time or end up with a lot of data that i have to look to look through and since i already kind of know the targeted location i'm looking for um sadly sudo was being a jerk and i could not get sudo to compile with debugging symbols i don't know why uh but it refused to compile um i did write a really bad buzzer um in like python where did i put it cbe that um i don't even wanna i don't even really want to show it just feel bad uh yeah it's i mean it's nothing crazy i start uh i start a thread um reading a message looking for the segmentation faults or general protection faults that basically k messages like d message so you'll see a line in there for whenever a process has segmentation fault or general protection fault i grab those lines and record what the pin was for that process that's just running in another thread because k message never ends so you can't just read all of k message it's a special device file that never ends um so i do that in another thread and i store that in a variable and then uh keyed by the pit of the process that crashed and then i just go through a bunch of sizes of uh overflow to do and i just wanted to see what the result would be the only result i ever got was that malik error um which it could be for a lot of reasons um i need to test more and i really just need a debug copy of pseudo so i can figure that out um and yeah i mean i i can run it but it's not interesting it just says that it's you get a bunch of crashes and it's trying a bunch of sizes um yeah that was really really fast and i talked really fast uh what else broke over i was focusing on this one today um i want to get into the other different methods that they may have used but this article has some more information did this just like reload um this article does have some more information about the different things they saw um and how you could use it uh oh one thing i forgot to mention the doing that overriding exec ve uh early with exec ve um we don't actually have the address exactly we have no memory leak from the process which a lot of times you think about buffer overflow is like oh i need a memory leak because there's aslr um that's true you do but also you are assumed to already have local execution because you're running sudo and if you do you can read the symbols from sudoers.so which is where you're actually getting execve from and so you know the offset for that and you can do a partial override of that function pointer which effectively uh they talk about it here but you can't get an exact partial overwrite but you get partial override plus a little bit extra um and i think it's only one byte that you compromise and it ends up being like statistically you should get the right address like in 4096 tries or something like that um and so basically they say you know we don't have a leak we don't actually know the address but we can run it 5 000 times and it will probably succeed you're just kind of brute forcing that last flight of aslr um which i think is a perfectly fine like it might be noisy but it would be cool to see it work right and that's the most straightforward initial go so that's where i was trying to work at um sorry you started to say something i cut you off no i was going to ask do you mind showing us uh how you were trying to compile pseudo or kind of what that looks like when you're trying to get the debugging symbols and what you're what what wall you're running into um [Music] um they have like this thing you're supposed to run um it's in script yeah um so you don't just run configure apparently you run like make package and i it wasn't behaving for me you're supposed to just be able to pass debug in um what exactly it told me is there anything else in there oh i wanted to pass in all that stuff but i won't for now that should do it and probably with my luck it's gonna work now that i'm sitting here saying it doesn't work that's kind of what i was hoping for that should produce a make file and then you should just be able to run make and get a built copy of sudo used to be compiling something i i've never used this whatever this make package thing is i don't know if it's specific to sudo or not but normally it's just like dot slash configure um warnings i suppose they're moving really fast um yeah so i get who's this thing this make package thinks it's trying to build an rpm file which isn't right because i'm on arch probably if i just did this from like a deviant machine where make package knows what to do because it mentions that wherever it is in your platform you can platform use rpm or whatever uh probably if i did it on not arch it would probably work uh but i didn't have a vm on hand when i was doing this a little bit ago i can try it on my machine go for it it's literally just like github.com pseudo tech project i think slash sudo you can clone it um maybe again if you're comfortable with it or if you're cool with it we could if we get any if you get any other progress we could do this again to showcase kind of what you've poured through but sure yeah yeah for sure okay so that's all the conversation that i have for you so far um obviously yeah we're still kind of tinkering with this we're still kind of playing with it i know caleb's going to spin up a virtual machine to see if he can get maybe pseudo compiled with the bugging symbols i've tried to download on my machine and i'm tinkering with it as well there's no way i'm actually going to get anywhere with it but if anything i can uh enable and encourage some other folks and i hope to try to do so because look this is what it's all about uh if we're seeing new bugs new flaws new vulnerabilities then it kind of takes a village right it's the whole community playing in concert everyone kind of just kind of jumping in to learn about this thing see how we can make it better so we can improve it and see how we can learn from it and just getting everyone in the know just uh just i don't know spreading the knowledge so that's what this video is all about i hope you enjoyed that safari ride through some pseudo stuff but patch your systems i can't say it enough hopefully that thing that segment at the beginning this video helped out and uh we'll do this soon if we get any updates for you we'll we'll hopefully be able to bring that to you just as well but please please jump in as well you know you should be having just the same fun at that we are and uh patch i can't say it enough go patch thanks so much everybody i'll see you in the next video love you take care [Music] [Music] whip
Original Description
To help support me, check out Kite! Kite is a coding assistant that helps you faster, on any IDE offer smart completions and documentation. https://www.kite.com/get-kite/?utm_medium=referral&utm_source=youtube&utm_campaign=johnhammond&utm_content=description-only (disclaimer, affiliate link) 00:00 Introduction
02:11 How to patch and update to sudo 1.9.5p2
06:21 Conversation with Caleb starts
08:08 Seeing the flaw from sudoedit
09:48 Check if you are patched
12:45 Sudoedit is just a symlink to sudo
14:13 Heap exploitation talk
16:06 The Qualys article differs from Packetstorm
19:10 Fuzzer goals
20:02 The first crash is at a function which arguments align with execve
21:38 We could fake a SYSTEMD_BYPASS_USERDB executable to run
23:25 Caleb's primitive fuzzer code
24:42 The failing fuzzer in action (it doesn't find anything)
25:27 How we could sorta-somewhat bypass ASLR with a partial overwrite
26:55 Trying to compile sudo with debugging symbols (fail)
29:18 Wrap up
Hang with our community on Discord! https://johnhammond.org/discord
If you would like to support me, please like, comment & subscribe, and check me out on Patreon: https://patreon.com/johnhammond010
E-mail: johnhammond010@gmail.com
PayPal: http://paypal.me/johnhammond010
GitHub: https://github.com/JohnHammond
Site: http://www.johnhammond.org
Twitter: https://twitter.com/_johnhammond
Watch on YouTube ↗
(saves to browser)
Sign in to unlock AI tutor explanation · ⚡30
Playlist
Uploads from John Hammond · John Hammond · 0 of 60
← Previous
Next →
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
Code Commentaries? PHP to JavaScript in Bash and PHP!
John Hammond
Tutorials? MySQL connection with PHP and Bash!
John Hammond
Variable Naming in Python! Happy Birthday, Linux! Nokia N900!
John Hammond
JavaScript Splits The URL!
John Hammond
HTML Tables in Python!
John Hammond
HTML, Net Shares, GML!
John Hammond
Python 08 Programming Style and Comments
John Hammond
Python 26 Object Oriented Programming
John Hammond
75 Python Tutorials, Out Now!
John Hammond
Batch 14 Mathematical Expressions
John Hammond
Batch 85 Array Append
John Hammond
Batch 86 Array Count
John Hammond
Batch 87 Array Index
John Hammond
Batch 88 Array Insert
John Hammond
Batch 89 Array Remove
John Hammond
Batch 90 Array Reverse
John Hammond
Python [colorama] 00 Installing on Linux
John Hammond
Python [colorama] 09 Cursor Position
John Hammond
Python [hashlib] 02 Algorithms
John Hammond
Python 00 Installing IDLE on Linux
John Hammond
Python [pygame] 11 Rectangular Collision Detection
John Hammond
Python [pygame] 12 Platforming Rectangular Collision Resolution
John Hammond
Python [XML-RPC] 01 Research
John Hammond
Python [pyenchant] 03 Personal Word Lists
John Hammond
FancyURLopener Authentication and User-Agent [urllib] 03
John Hammond
Python 04: PEP8 Coding
John Hammond
Python Challenge! 17 COOKIES
John Hammond
Google CTF 2016: Ernst Echidna
John Hammond
Google CTF 2016: Spotted Quoll
John Hammond
Google CTF 2016: Can you Repo It?
John Hammond
Google CTF 2016: No Big Deal
John Hammond
Google CTF 2016: In Recorded Conversation
John Hammond
Homemade CTF Challenge: 01 "Orchestra"
John Hammond
Homemade CTF Challenge: 02 "Bae's Base"
John Hammond
Homemade CTF Challenge: 03 "Web Hunt"
John Hammond
Homemade CTF Challenge: 04 "UPX"
John Hammond
Homemade CTF Challenge: 05 "The Assumption Song"
John Hammond
Homemade CTF Challenge: 06 "A Brisk Stroll"
John Hammond
Homemade CTF Challenge: 06 "I lost my password!"
John Hammond
web25 :: Mr. Robot : EKOPARTY CTF 2016
John Hammond
web50 : RFC 7230 :: EKOPARTY CTF 2016
John Hammond
misc50 : Hidden inside EKO :: EKOPARTY CTF 2016
John Hammond
Hack The Vote 2016 CTF: Sander's Fan Club [web100]
John Hammond
Hack The Vote 2016 CTF Warpspeed [forensics150]
John Hammond
Juniors CTF 2016 :: Black Suprematic Square
John Hammond
Juniors CTF 2016 :: Six Strange Tales
John Hammond
Juniors CTF 2016 :: Lost Code
John Hammond
Juniors CTF 2016 :: Here Goes!
John Hammond
Juniors CTF 2016 :: Southern Cross
John Hammond
Juniors CTF 2016 :: Clone Attack
John Hammond
Juniors CTF 2016 :: Dirty Repo
John Hammond
Juniors CTF 2016 :: Hackers Blog
John Hammond
Juniors CTF 2016 :: Voting!!!
John Hammond
Juniors CTF 2016 :: The Good, The Bad and The Junkman
John Hammond
Juniors CTF 2016 :: Stop Thief!
John Hammond
Juniors CTF 2016 :: ROFL
John Hammond
Juniors CTF 2016 :: Restriced Area
John Hammond
Juniors CTF 2016 :: Oh SSH!
John Hammond
HackCon CTF 2017 TRIVIA and BONUS Challenges
John Hammond
HackCon CTF 2017 "Bacche" Challenges
John Hammond
More on: Security Basics
View skill →Related Reads
Chapters (15)
2:11
How to patch and update to sudo 1.9.5p2
6:21
Conversation with Caleb starts
8:08
Seeing the flaw from sudoedit
9:48
Check if you are patched
12:45
Sudoedit is just a symlink to sudo
14:13
Heap exploitation talk
16:06
The Qualys article differs from Packetstorm
19:10
Fuzzer goals
20:02
The first crash is at a function which arguments align with execve
21:38
We could fake a SYSTEMD_BYPASS_USERDB executable to run
23:25
Caleb's primitive fuzzer code
24:42
The failing fuzzer in action (it doesn't find anything)
25:27
How we could sorta-somewhat bypass ASLR with a partial overwrite
26:55
Trying to compile sudo with debugging symbols (fail)
29:18
Wrap up
🎓
Tutor Explanation
DeepCamp AI