This week, a vulneratbility which was discovered by Joe Fennix has the abililty to privilege escalate our privileges into root without requiring a password at all. The Vulnerability has been tracked as CVE-2019-14287. Its a security vulnerability that allows any user on a Linux system to execute commands as root, while the user permission in the sudoers file prevents these commands from being run as root.
The condition is that it can be executed by a user that has ALL permissions in the Runas specification, which means they can execute commands as any user on the system.
Users can run commands and tools as root by specifying the user id (UID) as -1 or the unsigned equivalent of -1: 4294967295
Reviewing the screenshot above we can see the contents of the /etc/sudoers file, which indcates that anyone in sudo can execute commands which meets the condition.
In the above screenshot, it is observable that the exploit happens when typing in -1 for the after the -u. It returns the output as 0 which indicates the ID of the root user. Knowing this exploit we do the below commands to further probe at this vulnerability.
As we can see in the above screenshot, I created a file by using the command touch. Peeking at the permissions, this is created by root! Lets dig deeper
This last screenshot, I added /bin/sh - we obtained a shell on the system without providng any passwords! As you can see by this brief demonstration, that this is quiet an easy escalation technique that anyone can do if the conditions are met.
I hope you learned something new, keep working hard everyone :)