Closed PaS3 closed 3 years ago
TH3xACE
commented
3 years ago Hi PaS3,
Thanks for posting the issue. I think that I spotted the issue with CVE-2019-18634 but has not for the CVE-2019-14287.
Can you please provide the content of your /etc/sudoers ? If you want to provide in PM, please send on adblue2017 @ gmail . com
Regards, TH3xACE.
TH3xACE
commented
3 years ago Bug corrected for CVE-2019-18634. Thanks again for your post.
Looking forward for your rules to check the one on CVE-2019-14287.
PaS3
commented
3 years ago The Debian 10 installation default. '
sudo apt download sudo
mkdir sudo
dpkg -x sudo* ./sudo
cat ./sudo/etc/sudoers
#
# This file MUST be edited with the 'visudo' command as root.
#
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
#
# See the man page for details on how to write a sudoers file.
#
Defaults env_reset
Defaults mail_badpass
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
# Host alias specification
# User alias specification
# Cmnd alias specification
# User privilege specification
root ALL=(ALL:ALL) ALL
# Allow members of group sudo to execute any command
%sudo ALL=(ALL:ALL) ALL
# See sudoers(5) for more information on "#include" directives:
#includedir /etc/sudoers.dHi PaS3,
I have tested CVE-2019-14287 with the same rules as yours and same bash version. I am not having false positive and it is working fine. Could you test on another environment ? There is a docker provided.... try to use it .
Regards, TH3xACE.
TH3xACE
commented
3 years ago just one question, were you considering the section >> Checking for disclosed vulnerabilities (CVE) to say the false positive ??? I think I should put some notes here.... The CVEs are related to the version is used but some need to satisfy some requirement to be exploitable.
TH3xACE
commented
3 years ago I have added this "[+] Despite the version being vulnerable to a CVE or several some requirements might be needed for exploitation."
CVEs is based on the version but specific conditions must be met in order to exploit most of them. The tool do both, it identifies whether the current sudo version is vulnerable to a specific CVE and then check for some of the CVEs whether the conditions are met and this provide the exploit path.
Thanks for your post, it helped makes things clearer. I will add a note on the readme about this.
I will close the issue.
Regards, David.
Describe the bug
I was testing my system for sudo security and found a false positive when testing for the CVE-2019-14287
To Reproduce
6.0 Test CVE-2019-14287 - Make sure no sudo session is open 6.1 sudo -k #kill or timeout sudo session 6.2 sudo whoami 6.2.1 [sudo] password for paul:
7.0 sudo -u#-1 echo -e "I became $(whoami)" 6.1 > sudo: unknown user: #-1
8.0 sudo -u#$((0xffffffff)) echo -e "I became $(whoami)" 8.1 > sudo: unknown user: #4294967295
Expected behavior ============== Checking for Common Misconfiguration ====================
================== Checking for File owner hijacking =======================
============= Checking for File permission hijacking =====================
_all lines further empty because I am special :1st_placemedal:
Screenshots Let me know if you need these.
Desktop (please complete the following information): APP: bash 5.0.3
APP: sudo version 1.8.27
OS: Dsuebian GNU/Linux 10 (buster) x86_64 Kernel: 4.19.0-10-amd64
Additional context May be set -x to debug bash and back with set +x
CVE-2019-18634 The sudoers pwrfeedback flag is off by default and should not be reporting this issue too. Test instructions: https://www.sudo.ws/alerts/pwfeedback.html