Last time I did a heap overflow CVE analysis. I wanted to analyze a different kind of bug this time, so I chose one for Sudo that is a logic bug. The CVE is CVE-2019-14287 and it contains an error with how Sudo handled integers and unsigned integer wrapping with -1.
So the linux program sudo allows a user to temporarily elevate access so that a program (such as an installer) can run and change something a user would otherwise not have access to do. This program has a configurations file called sudoers that specifies which users a particular user can. In order to exploit this CVE, you must specify the user as having (ALL, !root) access in the sudoers file which means the user can assume anyone accept root.
To achieve this, the user with this sudoers entry must pass -1 as a command line argument to specify the user number the user wants to assume. Like this: sudo -u -1. -1 is not a valid user number, and so when sudo receives it, the number wraps back around to 4294967295, the highest number for an unsigned int.
The kernel reinterprets this as a -1 which means "don't change the uid of the current user." However, Sudo runs as root, so when this kernel function is called, the user is changed to root. That is the exploit, the user will switch to root as a result and be given full access.
I set this environment up by using Docker and an old image of Ubuntu, 18.04. From there, I downloaded the sudo version 1.8.27 because this version was patched. I created a tesuser and updated the sudoers file. Then I ran the command sudo -u#-1 /bin/bash and it gave me root access.
CVE 2019-14287 was very easy to reproduce, and I would recommend giving this a try if you want to see a relatively simple CVE. It's very gratifying to do this and actually get root access.
Top comments (0)