SUDO Security Policy Bypass Vulnerability

Geethika Edithara March 06, 2024

 (CVE-2019-14287)

1. INTRODUCTION

Sudo is quite possibly the most remarkable and commonly utilized utility installed on pretty much every UNIX and Linux-based working frameworks. Likewise, sudo is a command that permits you to run scripts or programs that require administrative privileges.

On October 14th 2019 the Sudo group distributed a security alert with Regards to CVE-2019-14287, another security issue found by Joe Vennix of

Apple Information Security, in all Sudo versions before version 1.8.28.

The security flaw could enable a malicious user to execute self-assertive orders as a root client even in situations where the root access is prohibited.

The sudo weakness CVE-2019-14287 is a security policy bypass issue that gives a user or a program the capacity to execute orders as root on a Linux framework. In straightforward words, it implies a client can get root authorization to do anything he needs from bypassing this vulnerability. Exploiting this vulnerability requires the user to have sudo privileges that permit them to run commands with a self-assertive user ID, except root.

 

2. DEFINING THE GOALS AND PRE-REQUIREMENTS

A. Objectives

• Identifying the Vulnerability

• Crash the targeted vulnerability.

• Gain access to root privileges.

B. Pre-requirements

We use these following requirements to attack the system.

 • A Linux based OS

• A vulnerable SUDO version 

 

3. METHODOLOGY

These are the step by step methods to gain root privilege access to SUDO.

First to find out your SUDO version type “sudo --version”. 


 

1st Step

All the data of the sudo is in passwd file. Therefore we can open it and see what kind of data is stored in here.

For that type “cat/etc/passwd” code.

In the contents of that file you can see that the first user is always going to be the root user. Then you can see the data of the other users next.

The manner in which user accounts are saved on Linux is as follows, first of all you have the username, for this situation it is root, and then you have the password in the password file. You can see that the passwords are all signified by an x, the x implies that these passwords are encrypted. They are encrypted because any user on the system can access this password file. After that there is the user id or UID. The user id for the root account is always going to be zero, which is quite important. Then there is the group id and afterwards there’s the home directory. Finally there’s the shell that this user logs into.

The passwords are saved in a file called the ‘shadow file’.

To view the shadow file type “cat/etc/shadow

You can see that again the root user is utilized as the first entry here, this is basically the design, and so we have the username and the password now. This is obviously a hashed password or an encrypted password.

 

2nd Step

In this step you have to create a user account in Linux and set a password to it and see what’s happened inside the ‘passwd’ file.

To create a new user account type “useradd -m -s bin/bash hacker1” 

So now if you take a look at the ‘passwd’ file you can see that there’s another entry at the bottom of the file. The user id is currently set to 1001. If you create another user account its UID would be 1002.

 

3rd Step

Next you need to go into the sudo file and grant privilege access to the new account.

The sudo command is configured through a file located in ‘/etc/sudoers’. Through the sudo command, you provide administrative level privileges to regular users. You can configure other users to also be able to run the sudo command. That can be done by editing the sudoers file.

There are a few more approaches to do it, but the standard safe & secure way to do it is by using the "visudo" command. "Visudo" is a tool that permits you to access and make changes to the sudo file safely. 

This is the default sudo file. 

The sudo file should be edited by adding "hacker1 ALL = (ALL, !root) usr/bin/id" below the root accounts privileges. 


After saving this edited sudo file try to run these codes:

You can see that just simply by editing out one change you cannot run code as root user. Therefore you should mention uid. When the correct uid is typed the sudo will allow the code to run as root.

In other words, this fault gives root privilege access to any intruder. Imagine that the attacker has the host machine shell as a local user which does not have root privileges. All he has to do to escalate his privileges to root user is to use the uid as "- u#-1".


4th Step

Utilizing "vim" and the way that you can modify files or access files.

There are a few steps to do as such. First you need to edit the sudo file again and input some extra commands.

Input "cmnd_Alias VIM =/use/bin/vi


5th Step

Then go back to the other user account and go into the root directory and create a file openme.txt. The name doesn’t matter. Then, hit enter and you can see that it will give the same error. That you can’t execute because you don’t have the root access privileges.

To run this command specify the user who runs this command.

 

6th Step

The last step is to switch to root and open the file created from the other account. That means you gained access to root privileges on attacker’s account.

Go to root and run a "- ls" command. You will see the files created in your machine.

Finally, you can find in the file list the file you made from attacker's account.

Open the file and check exactly when it was created. 

 

4. MITIGATION STRATEGY

This vulnerability is critical. So the Sudo team released an update to patch this vulnerability. As a user, company or anyone else just remember to update your software & firmware always. And never use old versions of software.

 

5. CONCLUSION

This is a somewhat interesting vulnerability. We can practice ourselves by exploiting it. But a vulnerability is a vulnerability. When you need help always seek the advice of an expert. Always practice correct procedures and remember to use the latest software versions always.

 

 REFERENCES

1.     https://www.youtube.com/hackersploit

2.     https://www.hackingarticles.in

3.     https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=CVE+-2014-3306

4.     https://www.sudo.ws/man/1.8.28/sudo.man.html

5.     https://access.redhat.com/security/cve/cve-2019-14287

Stay Informed, Stay Safe!

Geethika Edithara

Posted by Geethika Edithara

Hi I'm Geethika Edithara. I'm a Cyber Security Analyst who is hoping to make a change in the cyber security sector for the better. My main goal here is to spread correct, reliable & upto date cyber security news & Information so everyone can gain some type of knowledge & be safe from cyber threats.