SUDO
Theory
sudo (Super User DO) is a program for UNIX-like computer operating systems that allows users to run programs with the security privileges of another user (by default, the superuser).
Unlike the similar command su, users must, by default, supply their own password for authentication, rather than the password of the target user. After authentication, and if the configuration file, which is typically located at /etc/sudoers, permits the user access, the system invokes the requested command with the target user's privileges.
Sudo users are called sudoers ( 😯 I know right, big brains here 🧠 ). What sudoers are allowed to do is defined in the /etc/sudoers configuration file. This file, owned by root, is supposed to be 440 (read-only) and should only be edited with visudo, sudoedit or sudo -e.
Practice
There are many ways to escalate privileges by exploiting sudo, either by profiting from insecure configuration, or by exploiting the program's vulnerabilities.
Default configurations
The sudo -l command can be run by sudoers to check their sudo rights. The output reflects the /etc/sudoers configuration that applies to the user. It should like the following (default config for a new sudoer).
For instance, this configuration allows the johnthesudoer user to run any privileged command as long as johnthesudoer's password is known. A privileged session can be obtained with sudo -i, sudo -s, sudo su or sudo <program>.
Living off the land
While the SUDO configuration can be hardened to restrict privileged execution to specific program, there are some that can be abused to bypass local security restrictions. This is called Living off the land.
The configuration above only allows sudoer johnthesudoer to execute /bin/tar as root as long as johnthesudoer's password is known. The thing is tar is program that can be used to obtain a full session, hence bypassing the restrictions induced by sudoers configuration.
Other examples can be found on the Living off the land note.
While some programs can be used to obtain a full shell, others can be used to induce changes on the system to grant root privileges, like /usr/bin/cp. The following commands are used to edit the /etc/passwd file to add a password-less user with root's uid and gid.
CVE-2019-14287 (#-1)
With SUDO running version < 1.8.28, an attacker in control of a "runas ALL" sudoer account can bypass certain policy blacklists and session PAM modules by invoking sudo with a crafted user ID.
Exploiting the bug requires sudo privileges and being able to run commands with an arbitrary user ID. This means the user's sudoers entry has to have the special value ALL in the "runas" specifier (the yellow and green parts in the doodle above).
Vulnerable users can be found with the two commands below
The vulnerability can be exploited with one of the following payloads
Some technical details to the vulnerability
Sudo uses the setresuid(2) and setreuid(2) system calls to change the user ID before running the command. So if you try to enter a negative user id -1 (or its 32-bit unsigned equivalent 4294967295), setresuid(2) and setreuid(2) cannot set a negative user id and you're left with the user id sudo is running with : 0.
Therefore sudo -u#-1 id -u or sudo -u#4294967295 id -u will actually return uid=0 and run command as root.
More info can be found here
CVE-2021-3156 (Baron Samedit)
With SUDO running version < 1.9.5p2, a Heap-based Buffer Overflow allows for privilege escalation to root via sudoedit -s and a command-line argument that ends with a single backslash character. To test if a system is vulnerable or not, the following command can be run as a non-root user.
Patched versions will throw a usage: help message while vulnerable ones will throw the following sudoedit: error.
This vulnerability can be exploited with this exploit, or this one.
More info about this vulnerability can be found here and here.
Resources
Last updated
