🧙♀️ Sudo -
- 1 minI was wandering around Buffer Overflow in the past few days and found out interesting rooms on TryHackMe about the sudo vulnerabilities back in late 2019 and the beginning of 2020—CVE-2019-14287, CVE-2019-18634. Both were reported by Joe Vennix.
The first one, CVE-2019-14287, is the sudo bypass when using sudo -u#<ID> command and if you specify ID to be -1 or its unsigned equivalent to 4294967295, sudo would read it as 0 , a.k.a., root . The proof of concept can be found here, https://www.exploit-db.com/exploits/47502. If you are curious to see in action, check out THM room here, https://tryhackme.com/room/sudovulnsbypass. It happens with versions prior to 1.8.28.
The second one, CVE-2019-18634, is the buffer overflow vulnerability when using sudo and overflow the password to gain root access. This happens because pwfeedback is enabled in /etc/sudoers. It’s normally turned off, but in ElementaryOS and Linux Mint are not the case.
The proof of concept, https://www.exploit-db.com/exploits/47995, shows that by generating the large password input, the feedback is given back as Segmentation fault which means that large input has tried to access to memory that should not be supposed to. Boom!
The POC in C has made public on GitHub. See in action, check out THM room, Sudo Vulns BOF. The version 1.8.26 to 1.8.30 were reported to be exploitable. The remediation step can be done as simple as making sure to disable pwfeedback in /etc/sudoers as mentioned on the official advisory.