Recent 0-Days
Last updated
Last updated
The program sudo is used under UNIX operating systems like Linux or macOS to start processes with the rights of another user. In most cases, commands are executed that are only available to administrators. It serves as an additional layer of security or a safeguard to prevent the system and its contents from being damaged by unauthorized users. The /etc/sudoers file specifies which users or groups are allowed to run specific programs and with what privileges.
One of the latest vulnerabilities for sudo carries the CVE-2021-3156 and is based on a heap-based buffer overflow vulnerability. This affected the sudo versions:
1.8.31 - Ubuntu 20.04
1.8.27 - Debian 10
1.9.2 - Fedora 33
and others
To find out the version of sudo, the following command is sufficient:
The interesting thing about this vulnerability was that it had been present for over ten years until it was discovered. There is also a public that can be used for this. We can either download this to a copy of the target system we have created or, if we have an internet connection, to the target system itself.
When running the exploit, we can be shown a list that will list all available versions of the operating systems that may be affected by this vulnerability.
We can find out which version of the operating system we are dealing with using the following command:
Next, we specify the respective ID for the version operating system and run the exploit with our payload.
In fact, Sudo also allows commands with specific user IDs to be executed, which executes the command with the user's privileges carrying the specified ID. The ID of the specific user can be read from the /etc/passwd file.
Thus the ID for the user cry0l1t3 would be 1005. If a negative ID (-1) is entered at sudo, this results in processing the ID 0, which only the root has. This, therefore, led to the immediate root shell
PolicyKit (polkit) is an authorization service on Linux-based operating systems that allows user software and system components to communicate with each other if the user software is authorized to do so. To check whether the user software is authorized for this instruction, polkit is asked.
Polkit works with two groups of files.
actions/policies (/usr/share/polkit-1/actions)
rules (/usr/share/polkit-1/rules.d)
Polkit also has local authority rules which can be used to set or remove additional permissions for users and groups. Custom rules can be placed in the directory /etc/polkit-1/localauthority/50-local.d with the file extension .pkla.
PolKit also comes with three additional programs:
pkexec - runs a program with the rights of another user or with root rights
pkaction - can be used to display actions
pkcheck - this can be used to check if a process is authorized for a specific action
The most interesting tool for us, in this case, is pkexec because it performs the same task as sudo and can run a program with the rights of another user or root.
Once we have compiled the code, we can execute it without further ado. After the execution, we change from the standard shell (sh) to Bash (bash) and check the user's IDs.
This is a "janky" way to compile for old version, which is just statically linking the libraries...
(adds the -static -static-libgcc)
In simple terms, this vulnerability allows a user to write to arbitrary files as long as he has read access to these files. It is also interesting to note that Android phones are also affected. Android apps run with user rights, so a malicious or compromised app could take over the phone.
This vulnerability is based on pipes. Pipes are a mechanism of unidirectional communication between processes that are particularly popular on Unix systems. For example, we could edit the /etc/passwd file and remove the password prompt for the root. This would allow us to log in with the su command without the password prompt.
Download Dirty Pipe Exploit
After compiling the code, we have two different exploits available. The first exploit version (exploit-1) modifies the /etc/passwd and gives us a prompt with root privileges. For this, we need to verify the kernel version and then execute the exploit.
Verify Kernel Version
Exploitation
With the help of the 2nd exploit version (exploit-2), we can execute SUID binaries with root privileges. However, before we can do that, we first need to find these SUID binaries. For this, we can use the following command:
Find SUID Binaries
Then we can choose a binary and specify the full path of the binary as an argument for the exploit and execute it.
Netfilter is a Linux kernel module that provides, among other things, packet filtering, network address translation, and other tools relevant to firewalls. It controls and regulates network traffic by manipulating individual packets based on their characteristics and rules. Netfilter is also called the software layer in the Linux kernel. When network packets are received and sent, it initiates the execution of other modules such as packet filters. These modules can then intercept and manipulate packets. This includes the programs like iptables and arptables, which serve as action mechanisms of the Netfilter hook system of the IPv4 and IPv6 protocol stack.
This kernel module has three main functions:
Packet defragmentation
Connection tracking
Network address translation (NAT)
Even if the company uses virtual machines or containers like Docker, these are built on a specific kernel. The idea of isolating the software application from the existing host system is a good step, but there are many ways to break out of such a container.
CVE-2021-22555
Vulnerable kernel versions: 2.6 - 5.11
CVE-2022-25636
However, we need to be careful with this exploit as it can corrupt the kernel, and a reboot will be required to reaccess the server.
CVE-2023-32233
This vulnerability exploits the so called anonymous sets in nf_tables by using the Use-After-Free vulnerability in the Linux Kernel up to version 6.3.1. These nf_tables are temporary workspaces for processing batch requests and once the processing is done, these anonymous sets are supposed to be cleared out (Use-After-Free) so they cannot be used anymore. Due to a mistake in the code, these anonymous sets are not being handled properly and can still be accessed and modified by the program.
The exploitation is done by manipulating the system to use the cleared out anonymous sets to interact with the kernel's memory. By doing so, we can potentially gain root privileges.
Please keep in mind that these exploits can be very unstable and can break the system.
Another vulnerability was found in 2019 that affected all versions below 1.8.28, which allowed privileges to escalate even with a simple command. This vulnerability has the and requires only a single prerequisite. It had to allow a user in the /etc/sudoers file to execute a specific command.
In the pkexec tool, the memory corruption vulnerability with the identifier was found, also known as and also leads to privilege escalation. This vulnerability was also hidden for more than ten years, and no one can precisely say when it was discovered and exploited. Finally, in November 2021, this vulnerability was published and fixed two months later.
To exploit this vulnerability, we need to download a and compile it on the target system itself or a copy we have made.
A vulnerability in the Linux kernel, named (), allows unauthorized writing to root user files on Linux. Technically, the vulnerability is similar to the vulnerability discovered in 2016. All kernels from version 5.8 to 5.17 are affected and vulnerable to this vulnerability.
To exploit this vulnerability, we need to download a and compile it on the target system itself or a copy we have made.
When the module is activated, all IP packets are checked by the Netfilter before they are forwarded to the target application of the own or remote system. In 2021 (), 2022 (), and also in 2023 (), several vulnerabilities were found that could lead to privilege escalation.
A recent vulnerability is and affects Linux kernel 5.4 through 5.6.10. This is net/netfilter/nf_dup_netdev.c, which can grant root privileges to local users due to heap out-of-bounds write. Nick Gregory wrote a very detailed about how he discovered this vulnerability.