SUDO Security Policy Bypass Vulnerability - CVE-2019-14287

at 12:37 AM Monday, November 25, 2019

After the detection of a major security vulnerability, Official released an immediate security fix to the ' sudo ' kit in the Ubuntu repositories. If you are not aware of sudo right’s power then read this post “Linux Privilege Escalation using Sudo Rights” that help you to understand more above “CVE-2019-14287” the latest vulnerability which we will discuss in this post.

In sudo before 1.8.28 the vulnerability CVE-2019-14287 is a security policy bypass issue in Linux/Ubuntu  before 19.10 that offers a local user or a program the ability to carry out commands as root or super user on a Linux system when the "sudoers configuration" clearly prohibits the root access.

For example, this allows bypass of “! Root” configuration, and USER= logging, for a "sudo -u \#$((0xffffffff))" command.

Exploiting CVE-2019-14287

Victim’s Machine
Let’s suppose the system admin has created a local user who is not allow to perform high privilege task such as “cat /etc/shadow” to read saved the password of the system.



Similarly we have created a user “demo” who is not able to run privilege task as super user.


But if admin will make the following configuration with the suoders file:
demo ALL=(ALL,!root) ALL

where admin has assign sudo rights to the user “demo” to run programs or command as super user other than root and clearly prohibits the root access using !root.


Or the system admin can use following configuration too which stats same permission as said above.
demo ALL=(ALL,!#0) ALL


Let understand once again what is sudo right and what it defines as configured above by taking help of the following image:
Username: demo
Host: ALL
Runas (user): ALL,!root
Runas(group): ALL,!root
Tag: NOPASSWD
Command to execute: ALL
So basically here demo is define to execute ALL command as ALL (User,Group) other than root (User,Group) and “ALL,!root” is misconfiguration and causes the security loopholes because the user demo is restricted to perform task as root but not as admin. As result he can run a command as administrator (user "root") .  


In other words, this fault gives the privilege of a local user (attacker) accessing root shell as demonstrated. Assume the attack has the host machine shell as local user and he found above mentioned sudo rights then  the attacker can easily escalated the root privilege by using privilege user’s id i.e. -u#-1

sudo -u#-1 /bin/bash

Labels:

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)