In addition to Weibo, there is also WeChat
Please pay attention
WeChat public account
Shulou
2025-01-25 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Network Security >
Share
Shulou(Shulou.com)05/31 Report--
How to achieve sudo permission bypass vulnerability analysis and recurrence, in view of this problem, this article introduces the corresponding analysis and solution in detail, hoping to help more partners who want to solve this problem to find a more simple and feasible method.
Overview of vulnerabilities
Some users may know that if sudo is configured to allow users to run commands as arbitrary users through the ALL keyword defined in the Runas specification, it is possible for attackers to execute malicious commands with root privileges by specifying users ID-1 or 4294967295.
In fact, as long as the user's privileges are high enough, that is, the user with the highest sudo privileges, and the ALL keyword is defined in the Runas specification, they can run those root commands that are explicitly prohibited in the Runas specification, and commands that are run in this way have log entries that show a target user of 4294967295 instead of root. At the same time, the PAM session module will not run during the execution of the appropriate command.
The full name of Sudo is "superuserdo". It is a Linux system management instruction that allows users to run applications or commands with the privileges of other users without switching environments. Commands are typically run as root users to reduce login and administration time for root users and to improve security.
On October 14, 2019, Sudo officially released Sudo version 1.8.28, which included a patch fix for the sudo root privilege bypass vulnerability (CVE-2019-14287).
CVE ID
The vulnerability CVE number assigned by CVE to this vulnerability is CVE-2019-14287.
Vulnerability detail analysis
In general, the Runas specification (/ etc / sudoers) for most Linux distributions is shown in the following figure, where the defined ALL keyword allows users in the admin or sudo group to run commands as any user on the target system:
To exploit this vulnerability, the user needs to have sudo privileges and allow the user to run commands using arbitrary user ID. In general, this means that the user's sudoer entry defines a special all value in the Runas specification.
If sudoer policy allows, sudo supports running commands with a user name or user ID specified by the user. For example, the following sudoer entry allows us to run the id command as any user because it includes the ALL keyword in the Runas specification.
Alice myhost = (ALL) / usr/bin/id
In addition to running the id command as any valid user, we can also run the command as any user ID, where we need to use the # uid statement:
Sudo-upright 1234 id-u
The command returns "1234". However, sudo can use two system calls, setresuid (2) and setreuid (2), to modify the user ID and change the user ID to-1 (or unsigned equivalent user ID-4294967295) before the command runs:
Sudo-upright id-u
Or
Sudo-upright 4294967295 id-u
After the above command is run, "0" will be returned. This is because the sudo command itself is already running as user ID "0", so nothing changes when sudo tries to change user ID to "- 1".
However, the command running user's ID recorded in the sudo log entry is "4294967295", not the root user (or user ID is "0"). In addition, because the user ID is specified through the-u option and is not stored in the password database, the PAM session module will not run.
If the sudoer entry allows the user to run commands (not root) as any user, then an attacker can exploit this vulnerability to bypass this restriction. For example, we have the following sudoer entries:
Bob myhost = (ALL,! root) / usr/bin/vi
User bob can run the command vi as any user other than root, but due to this vulnerability, bob is actually able to run vi commands with root privileges with the following commands and bypass security policies on the target system:
Sudo-ubiquitous vi 1
This vulnerability exists only if a sudoer entry containing the ALL keyword exists in the Runas specification. For example, if the specification contains the following sudoer entries, the target system will not be affected by this vulnerability:
Alice myhost = / usr/bin/id
In the above example, alice can only run the id command with root privileges, and any attempt to run the command as a different user will be rejected.
Screenshot of attack scenario:
Screenshot of vulnerability reproduction:
Affected Sudo version
Sudo versions with version numbers less than 1.8.28 will be affected by this vulnerability.
Vulnerability repair
This vulnerability has been fixed in Sudo v1.8.28, and it is recommended that Linux users manually update the sudo package to the latest version as soon as possible.
The answer to the question on how to achieve sudo permission to bypass vulnerability analysis and recurrence is shared here. I hope the above content can be of some help to you. If you still have a lot of doubts to be solved, you can follow the industry information channel for more related knowledge.
Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.
Views: 210
*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.
Continue with the installation of the previous hadoop.First, install zookooper1. Decompress zookoope
"Every 5-10 years, there's a rare product, a really special, very unusual product that's the most un
© 2024 shulou.com SLNews company. All rights reserved.