Share
## https://sploitus.com/exploit?id=C6EB7E1A-A308-58FC-B1FF-95F63B890A34
Analysis of the CVE-2019-18634 (https://www.exploit-db.com/exploits/47995)

Sudo 1.8.25p - 'pwfeedback' Buffer Overflow (PoC)

Sudo's pwfeedback option can be used to provide visual feedback when the user is inputting 
their password. For each key press, an asterisk is printed. This option was added in 
response to user confusion over how the standard Password: prompt disables the echoing 
of key presses. While pwfeedback is not enabled by default in the upstream version of sudo,
some systems, such as Linux Mint and Elementary OS, do enable it in their default sudoers files.

Analysis

Sudo buffer overflow tryhackme writeup

Analysis of the CVE-2019-18634


First we log in to the tryhackme instance via SSH

The vulnerability happens because of the pwfeedback function being vulnerable to a heap buffer overflow, to exploit this vulnerability we first verify that the machine has the vulnerable version of sudo(sudo <1.8.26) present by running the sudo –version command

Analysis of the CVE-2019-18634


First we log in to the tryhackme instance via SSH

The vulnerability happens because of the pwfeedback function being vulnerable to a heap buffer overflow, to exploit this vulnerability we first verify that the machine has the vulnerable version of sudo(sudo <1.8.26) present by running the sudo –version command

![alt text](https://github.com/CyrusRazavi/CVE-2019-18634-/blob/main/image%201.png?raw=true)


confirm ing that the machine has a vulnerable version of sudo we now verify that owfeedback function is present, this can be done 2 ways, by invoking sudo and typing anything into the password prompt, which should display “*” as you type in characters for the password, and the second and more technical way of doing so is by using the sudo -l command, but this will also require the user to have proper permissions that allow them to view information regarding sudo or being able to concatenate the sudoers file

![alt text](https://github.com/CyrusRazavi/CVE-2019-18634-/blob/main/image%202.png?raw=true)

We will now confirm that a buffer overflow is possible by using the test case use on exploit-db
https://www.exploit-db.com/exploits/47995

perl -e 'print(("A" x 100 . "\x{00}") x 50)' | sudo -S id
^^The line of code above goes as follows:

Add 100 A characters and pipe it into the sudo command which will then end up in the pwfeedback heap buffer. 

![alt text](https://github.com/CyrusRazavi/CVE-2019-18634-/blob/main/image%203.png?raw=true)

Sudo will then spit out a segmentation fault as it is not sure how to continue the sudo process


This happens because once a static heap buffer is flooded, it will begin to flood CPU registers and the instruction pointer, which maintains the flow of the next instruction.


We can run the exploit, which will cause a buffer overflow and give us root access to the system
https://www.exploit-db.com/exploits/47995
![alt text](https://github.com/CyrusRazavi/CVE-2019-18634-/blob/main/image%204.png?raw=true)