CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 16CVE-2019-18634 – Sudo 1.8.25p - 'pwfeedback' Buffer Overflow (PoC)
https://notcve.org/view.php?id=CVE-2019-18634
29 Jan 2020 — In Sudo before 1.8.26, if pwfeedback is enabled in /etc/sudoers, users can trigger a stack-based buffer overflow in the privileged sudo process. (pwfeedback is a default setting in Linux Mint and elementary OS; however, it is NOT the default for upstream and many other packages, and would exist only if enabled by an administrator.) The attacker needs to deliver a long string to the stdin of getln() in tgetpass.c. En Sudo anterior a la versión 1.8.26, si pwfeedback está habilitado en / etc / sudoers, los usu... • https://packetstorm.news/files/id/156189 • CWE-121: Stack-based Buffer Overflow CWE-787: Out-of-bounds Write •
CVSS: 7.5EPSS: 1%CPEs: 1EXPL: 0CVE-2019-19232 – sudo: attacker with access to a Runas ALL sudoer account can impersonate a nonexistent user
https://notcve.org/view.php?id=CVE-2019-19232
19 Dec 2019 — In Sudo through 1.8.29, an attacker with access to a Runas ALL sudoer account can impersonate a nonexistent user by invoking sudo with a numeric uid that is not associated with any user. NOTE: The software maintainer believes that this is not a vulnerability because running a command via sudo as a user not present in the local password database is an intentional feature. Because this behavior surprised some users, sudo 1.8.30 introduced an option to enable/disable this behavior with the default being disabl... • http://seclists.org/fulldisclosure/2020/Mar/31 • CWE-284: Improper Access Control •
CVSS: 7.5EPSS: 1%CPEs: 1EXPL: 0CVE-2019-19234 – sudo: by using ! character in the shadow file instead of a password hash can access to a run as all sudoer account
https://notcve.org/view.php?id=CVE-2019-19234
19 Dec 2019 — In Sudo through 1.8.29, the fact that a user has been blocked (e.g., by using the ! character in the shadow file instead of a password hash) is not considered, allowing an attacker (who has access to a Runas ALL sudoer account) to impersonate any blocked user. NOTE: The software maintainer believes that this CVE is not valid. Disabling local password authentication for a user is not the same as disabling all access to that user--the user may still be able to login via other means (ssh key, kerberos, etc). B... • https://access.redhat.com/security/cve/cve-2019-19234 • CWE-284: Improper Access Control •
CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 1CVE-2005-4890
https://notcve.org/view.php?id=CVE-2005-4890
04 Nov 2019 — There is a possible tty hijacking in shadow 4.x before 4.1.5 and sudo 1.x before 1.7.4 via "su - user -c program". The user session can be escaped to the parent session by using the TIOCSTI ioctl to push characters into the input buffer to be read by the next process. Se presenta un posible secuestro de tty en shadow versiones 4.x anteriores a 4.1.5 y sudo versiones 1.x anteriores a 1.7.4 por medio de "su - user -c program". La sesión de usuario puede ser escapada a la sesión principal mediante el uso de la... • http://www.openwall.com/lists/oss-security/2012/11/06/8 • CWE-20: Improper Input Validation •
CVSS: 7.0EPSS: 0%CPEs: 1EXPL: 1CVE-2019-18684
https://notcve.org/view.php?id=CVE-2019-18684
04 Nov 2019 — Sudo through 1.8.29 allows local users to escalate to root if they have write access to file descriptor 3 of the sudo process. This occurs because of a race condition between determining a uid, and the setresuid and openat system calls. The attacker can write "ALL ALL=(ALL) NOPASSWD:ALL" to /proc/#####/fd/3 at a time when Sudo is prompting for a password. NOTE: This has been disputed due to the way Linux /proc works. It has been argued that writing to /proc/#####/fd/3 would only be viable if you had permiss... • https://gist.github.com/oxagast/51171aa161074188a11d96cbef884bbd • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •
CVSS: 9.0EPSS: 40%CPEs: 47EXPL: 29CVE-2019-14287 – sudo 1.8.27 - Security Bypass
https://notcve.org/view.php?id=CVE-2019-14287
15 Oct 2019 — In Sudo before 1.8.28, an attacker with access to a Runas ALL sudoer account can bypass certain policy blacklists and session PAM modules, and can cause incorrect logging, by invoking sudo with a crafted user ID. For example, this allows bypass of !root configuration, and USER= logging, for a "sudo -u \#$((0xffffffff))" command. En Sudo anteriores a 1.8.28, un atacante con acceso a una cuenta Runas ALL sudoer puede omitir ciertas listas negras de políticas y módulos PAM de sesión, y puede causar un registro... • https://www.exploit-db.com/exploits/47502 • CWE-267: Privilege Defined With Unsafe Actions CWE-755: Improper Handling of Exceptional Conditions •
CVSS: 7.0EPSS: 0%CPEs: 66EXPL: 1CVE-2015-8239
https://notcve.org/view.php?id=CVE-2015-8239
10 Oct 2017 — The SHA-2 digest support in the sudoers plugin in sudo after 1.8.7 allows local users with write permissions to parts of the called command to replace them before it is executed. La compatibilidad con SHA-2 digest en el plugin sudoers en sudo, en versiones posteriores a la 1.8.7, permite que usuarios locales con permisos de escritura en partes del comando llamado los reemplace antes de ejecutarlo. • https://github.com/justinsteven/sudo_digest_toctou_poc_CVE-2015-8239 • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •
CVSS: 8.2EPSS: 0%CPEs: 2EXPL: 0CVE-2017-1000368 – sudo: Privilege escalation via improper get_process_ttyname() parsing (insufficient fix for CVE-2017-1000367)
https://notcve.org/view.php?id=CVE-2017-1000368
05 Jun 2017 — Todd Miller's sudo version 1.8.20p1 and earlier is vulnerable to an input validation (embedded newlines) in the get_process_ttyname() function resulting in information disclosure and command execution. La versión 1.8.20p1 y anteriores de sudo de Todd Miller es vulnerable a una validación de entradas (nuevas líneas embebidas) en la función get_process_ttyname() que da lugar a una revelación de información y la ejecución de comandos. It was found that the original fix for CVE-2017-1000367 was incomplete. A fl... • http://www.securityfocus.com/bid/98838 • CWE-20: Improper Input Validation •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 9CVE-2017-1000367 – Sudo 1.8.20 - 'get_process_ttyname()' Local Privilege Escalation
https://notcve.org/view.php?id=CVE-2017-1000367
30 May 2017 — Todd Miller's sudo version 1.8.20 and earlier is vulnerable to an input validation (embedded spaces) in the get_process_ttyname() function resulting in information disclosure and command execution. Un Sudo de Todd Miller’s versión 1.8.20 y anteriores es vulnerable a una validación de entrada (espacios insertados) en la función get_process_ttyname(), resultando en la divulgación de información y la ejecución de comandos. A flaw was found in the way sudo parsed tty information from the process status file in ... • https://packetstorm.news/files/id/142783 • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') CWE-807: Reliance on Untrusted Inputs in a Security Decision •
CVSS: 7.0EPSS: 0%CPEs: 28EXPL: 0CVE-2016-7032 – sudo: noexec bypass via system() and popen()
https://notcve.org/view.php?id=CVE-2016-7032
06 Dec 2016 — sudo_noexec.so in Sudo before 1.8.15 on Linux might allow local users to bypass intended noexec command restrictions via an application that calls the (1) system or (2) popen function. Sudo_noexec.so en Sudo en versiones anteriores a 1.8.15 en Linux podría permitir a los usuarios locales evitar las restricciones de comandos noexec pretendidas a través de una aplicación que llama al (1) sistema o (2) a la función popen. It was discovered that the sudo noexec restriction could have been bypassed if applicatio... • http://rhn.redhat.com/errata/RHSA-2016-2872.html • CWE-184: Incomplete List of Disallowed Inputs CWE-284: Improper Access Control •