Privilege Escalation - Sudo - CVE-2019-14287

This attack is based on the MITRE ATT&CK Privilege Escalation Tactic by using the Sudo Technique.
It makes use of the misconfiguration in the sudoers file, as described in CVE-2019-14287.

Description of the vulnerability

This vulnerability allows a non-root user to run commands as root. The sudo command can be run alternatively by passing user id instead of a username as an argument, along with the command. If an attacker passes -1 or 4294967295 as the user id, they can get the ability to run commands as root.

For this exploit to work successfully, the /etc/sudoers file has to be misconfigured in a specific way. An example of said misconfiguration would be :-
<username> ALL=(ALL, !root) /bin/cat

Essentially, the configuration above gives the ability to execute /bin/cat on ALL hosts, but not as root.

This gets violated and results in root access when the user does something like :-
sudo -u#-1 /bin/cat

For the sake of brevity, I would not get into the root cause of this issue here.

Exploit Action

The exploit works by checking various commands to see if they can be used to get root access. In cases where the attack is successful, the exploit points out the misconfigurations in the sudoers file. At the end, the exploit code generates a summary of the commands that are successful in obtaining root access.

In the case of this exploit, for demonstration purposes, the user saad is setup to have access to the bash command only. The exploit checks for '/usr/bin/id', 'bash' and '/bin/cat' commands.

Preconditions to setup the attack

• Base OS: linux/macOS. (It can work on Windows too but hasn't been tested there)
• Open Source Software:
  1. Docker version 19.03.4
  2. docker-compose version 1.24.1
  3. git

Preconditions to execute the attack

The docker container is built such that it satisfies all the preconditions for successful execution of the exploit. The preconditions for successful execution of the attack are:

• OS: ubuntu:18.04
• Programs: git, python3.6, python3-pip, wget, gcc, make and sudo version 1.8.27

Step 1 - Setup

• Fire up the base OS and Docker. Once docker is up and running, clone this repository using git clone or manual download.
• Open terminal in the directory where the files are located.
• Make sure that docker-compose.yml, Dockerfile, exploit.py and README.md are present before moving on to the next step.

Step 2 - Execution

• Run the following commands in the order specified below:

1. docker-compose build
2. docker-compose run sudoexploit

Attack Execution and Postconditons

• At this point, the exploit code would run and output the results to the tty.
• If the exploit is successful, the summary line would say:-
  
  

  The user can run the sudo exploit using these command(s)['bash']
  Exploit successful
  

• If no command has sudo access, the summary line would say:-
  
  

  Exploit was not successful. No exploitable commands found.
  
  

• If a user other than the one specified in the exploit code tries to run the exploit, the summary line would say:-
  
  

  Exploit cannot be run if user is not saad.
  
  

• Should an error occur, the summary line would say :-
  
  

  An error occured during the exploit execution
  
  

• In addition to the above, the tty output is descriptive about the commands that work and don't work.

Step 3 - Cleanup

• Run the following commands in the order specified below:

1. docker-compose stop
2. docker-compose down
3. docker image rm sudoexploit

• Delete the directory which contains all the files on the Base OS.