Shulou(Shulou.com)06/02 Report--

This article mainly introduces "the loophole of Linux sudo privilege enhancement". In the daily operation, I believe that many people have doubts about the loophole of Linux sudo privilege enhancement. The editor has consulted all kinds of materials and sorted out simple and easy-to-use operation methods. I hope it will be helpful to answer the doubts of "Linux sudo privilege enhancement loopholes"! Next, please follow the editor to study!

Catalogue

Introduction of 0x01 vulnerabilities

Impact of 0x02 vulnerabilities

Recurrence of 0x03 vulnerabilities

Details of 0x04 vulnerability

0x05 referenc

Introduction of 0x01 vulnerabilities

This vulnerability allows restricted users to run root commands

Impact of 0x02 vulnerabilities

Sudo versions prior to 1.8.28 will be affected

Exploitation of this vulnerability requires the user to have the authority of sudo

Recurrence of 0x03 vulnerabilities

Details of 0x04 vulnerability

Because the user is required to have root rights, it also means that the user has a special value ALL in the runas specifier in the sudoers

Let's take a look at / etc/sudoers here

We can see the following configuration information for user rights, which means something like this

Authorized user / group host = [(which users or groups to switch to)] [whether password authentication is required] command 1, command 2

In the first field, those that do not begin with% represent "users to be authorized", such as "groups to be authorized" where root; begins with%, such as% admin and% sudo.

The second field indicates the hosts that are allowed to log in, and ALL indicates all. This indicates the servers on which users can log in to this server to execute sudo commands, such as

Wuxin ALL=/usr/sbin/reboot,/usr/sbin/shutdown

It means that the ordinary user wuxin can run reboot and shutdown commands through sudo on all hosts.

The third field, if omitted, indicates switching to root users. If ALL, it means switching to any user. The (ALL:ALL) in it indicates that any user is allowed to switch to any (user: group)

PS: if not omitted, you must enclose the two values in parentheses

The fourth parameter is NOPASSWD, which is omitted in this file, which means that a password is required to operate. If you do the following, you do not need to enter a password.

Wuxin ALL= (ALL:ALL) NOPASSWD:ALL

The fifth parameter is the command that authorizes the operation. If the value is ALL, you can execute any command.

This explains so much, which means that all users in our environment can execute sudo.

In this case, we can use the # uid syntax to run it as any user ID

For example, execution

Sudo-upright 1234 id-u

Will return 1234

However, the setresuid (2) and setreuid (2) used to change the user ID before sudo execution, especially for the user ID-1 (or its equivalent 4294967295), will not change the ID value of this user. In fact, the value they return is 0.

This is because sudo itself is already running with user ID 0, so no change will occur when you try to change user ID to-1, and because the user ID specified by-u does not exist in the password database, no PAM session module will be allowed

At this point, the study on the "loophole in Linux sudo privilege enhancement" is over. I hope to be able to solve everyone's doubts. The collocation of theory and practice can better help you learn, go and try it! If you want to continue to learn more related knowledge, please continue to follow the website, the editor will continue to work hard to bring you more practical articles!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.