SUDO Exploit Demo All versions < 1.8.28

The following brief is a quick demonstration of the issue faced by cve-2019-14287.

This issue is presented when the user is allowed to run a specified command as any user other than the root user account, specified as !root in the /etc/sudoers file; the following screenshots demonstrate how this logic is bypassed.

Sudo Version

Checking the sudo version:

As we can see here the version is below the patched version of 1.8.28.

Sudoers File Example

The following screenshot shows a basic sudoers configuration in order to test this flaw:

As we can see here my user can execute screen as any other user with the exception of root.

Displaying the current user id and sudo privs

The following is just outlining the current user id/groups and sudo permissions based on the above /etc/sudoers config

Trigger flaw

By adding a hash and minus 1 after the -u command in sudo we are able to exploit the flaw and execute the configured command as root:

At this point we now enter screen as a root user and can now execute root commands such as viewing the shadow file that was previously denied to us:

As seen this is a very dangerous flaw where configurations allow the !someuser prefix in the sudoers command.

The best thing to do at this point is run the following command:

apt-get upgrade sudo

Happy hacking