CVE-2019-14287

CVE-2019-14287 is a vulnerability found in the Unix Sudo program by a researcher working for Apple:?Joe Vennix. This exploit has since been fixed, but may still be present in older versions of Sudo (versions < 1.8.28), so it's well worth keeping an eye out for!

For those who might be unfamiliar with it: sudo is a command in UNIX that allows you to execute programs as other users. This usually defaults to the superuser (root), but it's also possible to execute programs as other users by specifying their username or UID. For example, sudo would usually be used like so:?sudo <command>, but you could manually choose to execute it as another user like this:?sudo -u#<id> <command>. This means that you would be pretending to be another user when you executed the chosen command, which can give you higher permissions than you might otherwise have had. As an example:

In this example, my user account did not have permission to read the file?/root/root.txt, so I used sudo to temporarily give myself root privileges, in order to read the file.

Like many commands on Unix systems, sudo can be configured by editing a configuration file on your system. In this case, that file is called?/etc/sudoers. Editing this file directly is not recommended due to its importance to the?OS?installation, however, you can safely edit it with the command?sudo visudo, which checks when you're saving to ensure that there are no misconfigurations.

The vulnerability we're interested in for this task occurs in a very particular scenario. Say you have a user whom you want to grant extra permissions. You want to let this user execute a program as if they were any other user, but you?don't?want to let them execute it as root. You might add this line to the sudoers file:

<user> ALL=(ALL:!root) NOPASSWD: ALL        

This would let your user execute any command as another user, but would (theoretically) prevent them from executing the command as the superuser/admin/root. In other words, you can pretend to be any user, except the admin.

Theoretically.

In practice, with vulnerable versions of Sudo, you can get around this restriction to execute the programs as root anyway, which is obviously great for privilege escalation!

With the above configuration, using?sudo -u#0 <command>?(the UID of root is always 0) would not work, as we're not allowed to execute commands as root. If we try to execute commands as user 0 we will be given an error. Enter?CVE-2019-14287.

Joe Vennix found that if you specify a UID of -1 (or its unsigned equivalent:?4294967295), Sudo would incorrectly read this as being 0 (i.e. root). This means that by specifying a UID of -1 or?4294967295, you can execute a command as root,?despite being explicitly prevented from doing so.

It is worth noting that this will?only?work if you've been granted non-root sudo permissions for the command, as in the configuration above.

sudo -u#-1 <command>        

You Can Practice This Vulnerability Here: https://tryhackme.com/room/sudovulnsbypass