As the title says the "sudo" command in Linux can be bypassed.So, if you are not familiar with Linux operating system then let me tell you what is a sudo command.
sudo is a program for Unix and Linux like computer operating systems that allows the user to run programs with security privileges of another user, by default superuser, like installing a software in windows OS by using Admin privileges. Sudo originally stood for "superuser do".
According to sudo description sudo allows a permitted user to execute a command as the superuser or another user, as specified by the security policy. The invoking user's real (not effective) user ID is used to determine the user name with which to query the security policy.
sudo supports a plugin architecture for the security policies and input/output logging. Third parties can devlop and distribute their own policy and I/O loging plugins to work seamlessly with sudo front end. The default security policy is sudoers, which is configured via the file /etc/sudoers, or via LDAP.
For more information just type the following command in any linux terminal:
man sudo
Description
A flaw was found in the way sudo implemented running commands with arbitary user ID. If a sudoers entry is written to allow the attacker to run a command as any user except root, this flaw can be used by the attacker to run a command as any user except root, this flaw can be used by the attacker to bypass the restriction.
Statement
This flaw only affects specific, non-default configuration of sudo, in which sudoers configuration entry allows a user to run a command as any user except root, for example:
-------------------------------------------------------------------------
abc myhost = (ALL,!root)/usr/bin/somecommand
-------------------------------------------------------------------------
This config allows user "someuser" to run somecommand as any other user except root. However, this flaw also allows someuser to run somecommand as root by specifying the target user using the numeric id of -1. Only the specified command can be run, this flaw does not allow user to run other commands that those specified in the sudoers configuration.
Any other configurations of sudo (including configurations that allow user to run commands as any user including root and configurations that allow user to run command as a specific other user) are NOT affected by this flaw.
Mitigation
This vulnerability only affects configuration of sudo that have a "runas user list" that includes an exclusions of root. The most simple example is
--------------------------------------------------------------------------------------
someuser ALL=(ALL, !root) /usr/bin/somecommand
--------------------------------------------------------------------------------------
The exclusion is specified using an exclamation mark(!). In this example, the "root" user is specified by the name.The root user may also be identified in other ways, such as by UID (user id):
---------------------------------------------------------------------------------------
someuser ALL=(ALL,#!0) /usr/bin/somecommand
---------------------------------------------------------------------------------------
or by reference to a runas alias:
--------------------------------------------------------------------------------------
Runas_Alias MYGROUP =root, adminuser
someuser ALL=(ALL, !MYGROUP) /usr/bin/somecommand
----------------------------------------------------------------------------------
To ensure your sudoers configuration is not affected by this vulnerability, we recommend examining each sudoers entry that includes the `!` character in the runas specification, to ensure that the root user is not among the exclusions. These can be found in the /etc/sudoers file or files under /etc/sudoers .
BY THE WAY
if you have sudo you can run the following commands to escalate yourself to root.
-------------------------------------------------------------------------------------------
sudo -u#-1 id -u
-------------------------------------------------------------------------------------------
or
-------------------------------------------------------------------------------------------
sudo -u#4294967295 id -u
-------------------------------------------------------------------------------------------
the number 4294967295 is equivalent to 232 − 1.
References
https://access.redhat.com/security/cve/cve-2019-14287
https://www.sudo.ws/alerts/minus_1_uid.html
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14287
https://puppet.com/blog/find-and-fix-cve-2019-14287-sudo-vulnerability
https://www.youtube.com/watch?v=btUf1O7lQmY&t=184s
No comments:
Post a Comment