Software vulnerabilities#
An introduction to 3 sudo vulnerabilities: CVE-2019-14287, CVE-2019-18634, CVE-2021-3156.
Summary#
Here are the few vulnerabilities we will cover:
| Vulnerability | Version | Prerequisite | Type |
|---|---|---|---|
| CVE-2019-14287 | < 1.8.28 | Requires permission to execute a command as another user | integer overflow, security bypass |
| CVE-2019-18634 | < 1.8.26 | Requires pwfeedback option enabled | stack-based BoF |
| CVE-2021-3156 (Baron Samedit) | < 1.9.5p2 | None | heap-based BoF |
CVE-2019-14287#
CVE-2019-14287 exploits an integer overflow in the user ID variable.
an attacker with access to a Runas ALL sudoer account can bypass certain policy blacklists and session PAM modules, and can cause incorrect logging, by invoking sudo with a crafted user ID. For example, this allows bypass of !root configuration, and USER= logging, for a "sudo -u #$((0xffffffff))" command.
For example, if we have the following configuration in /etc/sudoers, user
secit should be able to run any command as any user except root.
1 | secit ALL=(ALL:!root) NOPASSWD: ALL |
The user should see this:
1 | $ sudo -ll |
root has the id zero.
In pseudo-code, it can be translated to:
1 | unless userid == 0 |
The well known syntax to run a command as another user is (with an example):
1 | $ sudo -u <user> <cmd> |
But it's also possible to provide the user id instead of the username:
1 | $ sudo -u#<id> <cmd> |
But the user id -1 (signed int) would cause an integer overflow and be
translated as 4294967295 (0xffffffff) so the pseudo-chek userid == 0 would
be bypassed as we could have 4294967295 != 0.
Exploiting the vulnerability is as easy as one of the following example:
1 | $ sudo -u \#-1 /bin/bash |
TryHackMe is hosting a vulnerable environment so it's possible to try this vulnerability in a sandbox.
CVE-2019-18634#
CVE-2019-18634 exploits a stack-based buffer overflow in the function
getln() from the file tgetpass.c.
But this vulnerability works only if the pwfeedback option is enabled in
/etc/sudoers which is not the default for upstream and most packages from
mainly used linux distros. However, in 2019, Linux Mint and elementary OS
were using pwfeedback by default. pwfeedback is a display feature to
show an asterisk when an user writes a character of its password.
So even at the time the vulnerability was found, it was not likely that a
system would be vulnerable to it.
Here are some commands to check if sudo is vulnerable (you should get a segmentation fault):
1 | $ ruby -e 'puts ("A"*100 + "\x00")*50' | sudo -S id |
To exploit the vulnerability we can use a Proof of Concept (PoC) from Saleem Rashid hosted on the following git repository: saleemrashid/sudo-cve-2019-18634.
Details of the steps of exploit can be found in the comment of exploit.c.
An easy scenario could be:
- Download the source of the exploit on the target with
wget - Compile the exploit directly on the target with
gcc -o exploit exploit.c - Execute the exploit:
./exploit
The output should be as follows:
1 | $ ./exploit |
TryHackMe is hosting a vulnerable environment so it's possible to try this vulnerability in a sandbox.
CVE-2021-3156#
CVE-2021-3156 (a.k.a. Baron Samedit) exploits a heap-based buffer overflow. This one is way more powerful than the two previous vulnerabilities we saw earlier because it works with the default configuration and with all versions of sudo.
Here are some commands to check if sudo is vulnerable (you should get an error
malloc(): memory corruption):
1 | $ sudoedit -s '\' $(ruby -e 'puts "A"*1000') |
To exploit the vulnerability we can use a Proof of Concept (PoC) from blasty hosted on the following git repository: blasty/CVE-2021-3156.
An easy scenario could be:
- Download the source of the exploit (lib.c, hax.c, makefile) on the target with
wget - Compile the exploit directly on the target with
make - Execute the exploit:
./sudo-hax-me-a-sandwich
The output should be as follows:
1 | $ ./sudo-hax-me-a-sandwich 0 |
TryHackMe is hosting a vulnerable environment so it's possible to try this vulnerability in a sandbox.
Misconfiguration vulnerabilities#
Even if sudo is fully up to date and patched, a misconfiguration can open
a door for the attacker.
The following config gives user secit the permission to execute ssh as
anybody including root.
1 | secit ALL=(ALL) /usr/bin/ssh |
A lot of legitimate linux binaries can abused to bypass local security, break out restricted shells, escalate elevated privileges or facilitate other post-exploitation tasks.
So if root permission is given via sudo to use one of this binaries, it's very likely that an attacker could get root permission easily.
A list of those binaries can be found on GTFObins website or browsed offline using a CLI tool like GTFOBLookup.
An example of ssh abuse:
1 | $ gtfoblookup linux sudo ssh |
There is also a Metasploit module called post/multi/recon/sudo_commands doing
the following:
This module examines the sudoers configuration for the session user and lists the commands executable via sudo. This module also inspects each command and reports potential avenues for privileged code execution due to poor file system permissions or permitting execution of executables known to be useful for privesc, such as utilities designed for file read/write, user modification, or execution of arbitrary operating system commands. Note, you may need to provide the password for the session user
There are great virtual environments to train exploiting those binaries and misconfigured sudo:
- the Bash - Restricted shells challenge from Root-Me
Privilege Escalationsection from Linux Agency room on TryHackMe
About the author#
This piece was written by Alexandre ZANNI aka noraj. Alexandre is a pentester and a BlackArch maintainer.
Website: pwn.by/noraj