Privilege Escalation

SUDO Security Policy Bypass Vulnerability – CVE-2019-14287

After the detection of a major security vulnerability, Official released an immediate security fix to the ‘ sudo ‘ kit in the Ubuntu repositories. If you are not aware of sudo right’s power then read this post “Linux Privilege Escalation using Sudo Rights” that help you to understand more above “CVE-2019-14287” the latest vulnerability which we will discuss in this post.

In sudo before 1.8.28, the vulnerability CVE-2019-14287 is a security policy bypass issue in Linux/Ubuntu before 19.10 that offers a local user or a program the ability to carry out commands as root or superuser on a Linux system when the “sudoers configuration” clearly prohibits the root access.

For example, this allows the bypass of “! Root” configuration, and USER= logging, for a “sudo -u \#$((0xffffffff))” command.

Exploiting CVE-2019-14287

Victim’s Machine

Let’s suppose the system admin has created a local user who is not allowed to perform high-privilege tasks such as “cat /etc/shadow” to read the saved password of the system.

Similarly, we have created a user “demo” who is not able to run privileged tasks as a superuser.

But if the admin makes the following configuration with the sudoers file:

where admin has to assign sudo rights to the user “demo” to run programs or command as superuser other than root and clearly prohibits the root access using !root.

Or the system admin can use the following configuration too which stats the same permission as said above.

demo ALL=(ALL,!#0) ALL

Let us understand once again what sudo is and what it defines as configured above by taking help of the following image:

Username: demo

Host: ALL

Runas (user): ALL,!root

Runas(group): ALL,!root

Tag: NOPASSWD

Command to execute: ALL

So basically, here the demo is defined to execute ALL commands. As ALL (User, Group) other than root (User, Group), and “ALL,!root” is a misconfiguration and causes security loopholes. Because the user demo is restricted to performing the task as root, but not as an admin. As a result, he can run a command as an administrator (user “root”).  

In other words, this fault gives the privilege of a local user (attacker) accessing the root shell as demonstrated. Assume the attacker has the host machine shell as a local user and he found the above-mentioned sudo rights. Then, the attacker can easily escalate the root privilege by using the privilege user’s ID i.e., u#-1

sudo -u#-1 /bin/bash

Author: Komal Singh is a Cyber Security Researcher and Technical Content Writer. She is a completely enthusiastic pentester and Security Analyst at Ignite Technologies. Contact Here