CVE-2019-18634 – Sudo 1.8.25p - 'pwfeedback' Buffer Overflow (PoC)
https://notcve.org/view.php?id=CVE-2019-18634
In Sudo before 1.8.26, if pwfeedback is enabled in /etc/sudoers, users can trigger a stack-based buffer overflow in the privileged sudo process. (pwfeedback is a default setting in Linux Mint and elementary OS; however, it is NOT the default for upstream and many other packages, and would exist only if enabled by an administrator.) The attacker needs to deliver a long string to the stdin of getln() in tgetpass.c. En Sudo anterior a la versión 1.8.26, si pwfeedback está habilitado en / etc / sudoers, los usuarios pueden desencadenar un desbordamiento de búfer basado en pila en el proceso de sudo privilegiado. (pwfeedback es una configuración predeterminada en Linux Mint y sistema operativo elemental; sin embargo, NO es el valor predeterminado para paquetes ascendentes y muchos otros, y existiría solo si lo habilita un administrador). • https://www.exploit-db.com/exploits/47995 https://www.exploit-db.com/exploits/48052 https://github.com/Plazmaz/CVE-2019-18634 https://github.com/aesophor/CVE-2019-18634 https://github.com/N1et/CVE-2019-18634 https://github.com/ptef/CVE-2019-18634 https://github.com/paras1te-x/CVE-2019-18634 https://github.com/chanbakjsd/CVE-2019-18634 https://github.com/DDayLuong/CVE-2019-18634 http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00029.html http://pa • CWE-121: Stack-based Buffer Overflow CWE-787: Out-of-bounds Write •
CVE-2019-19232 – sudo: attacker with access to a Runas ALL sudoer account can impersonate a nonexistent user
https://notcve.org/view.php?id=CVE-2019-19232
In Sudo through 1.8.29, an attacker with access to a Runas ALL sudoer account can impersonate a nonexistent user by invoking sudo with a numeric uid that is not associated with any user. NOTE: The software maintainer believes that this is not a vulnerability because running a command via sudo as a user not present in the local password database is an intentional feature. Because this behavior surprised some users, sudo 1.8.30 introduced an option to enable/disable this behavior with the default being disabled. However, this does not change the fact that sudo was behaving as intended, and as documented, in earlier versions ** EN DISPUTA ** En Sudo hasta 1.8.29, un atacante con acceso a una cuenta de sudoer Runas ALL puede suplantar a un usuario inexistente invocando sudo con un uid numérico que no está asociado con ningún usuario. NOTA: El responsable del software cree que esto no es una vulnerabilidad porque ejecutar un comando a través de sudo como un usuario que no está presente en la base de datos de contraseñas local es una característica intencional. • http://seclists.org/fulldisclosure/2020/Mar/31 https://access.redhat.com/security/cve/cve-2019-19232 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/I6TKF36KOQUVJNBHSVJFA7BU3CCEYD2F https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IY6DZ7WMDKU4ZDML6MJLDAPG42B5WVUC https://quickview.cloudapps.cisco.com/quickview/bug/CSCvs58103 https://quickview.cloudapps.cisco.com/quickview/bug/CSCvs58812 https://quickview.cloudapps.cisco.com/quickview/bug/CSCvs • CWE-284: Improper Access Control •
CVE-2019-19234 – sudo: by using ! character in the shadow file instead of a password hash can access to a run as all sudoer account
https://notcve.org/view.php?id=CVE-2019-19234
In Sudo through 1.8.29, the fact that a user has been blocked (e.g., by using the ! character in the shadow file instead of a password hash) is not considered, allowing an attacker (who has access to a Runas ALL sudoer account) to impersonate any blocked user. NOTE: The software maintainer believes that this CVE is not valid. Disabling local password authentication for a user is not the same as disabling all access to that user--the user may still be able to login via other means (ssh key, kerberos, etc). Both the Linux shadow(5) and passwd(1) manuals are clear on this. • https://access.redhat.com/security/cve/cve-2019-19234 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/I6TKF36KOQUVJNBHSVJFA7BU3CCEYD2F https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IY6DZ7WMDKU4ZDML6MJLDAPG42B5WVUC https://quickview.cloudapps.cisco.com/quickview/bug/CSCvs58104 https://quickview.cloudapps.cisco.com/quickview/bug/CSCvs58473 https://quickview.cloudapps.cisco.com/quickview/bug/CSCvs58772 https://quickview.cloudapps.cisco.com/quickview& • CWE-284: Improper Access Control •
CVE-2019-18684
https://notcve.org/view.php?id=CVE-2019-18684
Sudo through 1.8.29 allows local users to escalate to root if they have write access to file descriptor 3 of the sudo process. This occurs because of a race condition between determining a uid, and the setresuid and openat system calls. The attacker can write "ALL ALL=(ALL) NOPASSWD:ALL" to /proc/#####/fd/3 at a time when Sudo is prompting for a password. NOTE: This has been disputed due to the way Linux /proc works. It has been argued that writing to /proc/#####/fd/3 would only be viable if you had permission to write to /etc/sudoers. • https://gist.github.com/oxagast/51171aa161074188a11d96cbef884bbd • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •
CVE-2019-14287 – sudo 1.8.27 - Security Bypass
https://notcve.org/view.php?id=CVE-2019-14287
In Sudo before 1.8.28, an attacker with access to a Runas ALL sudoer account can bypass certain policy blacklists and session PAM modules, and can cause incorrect logging, by invoking sudo with a crafted user ID. For example, this allows bypass of !root configuration, and USER= logging, for a "sudo -u \#$((0xffffffff))" command. En Sudo anteriores a 1.8.28, un atacante con acceso a una cuenta Runas ALL sudoer puede omitir ciertas listas negras de políticas y módulos PAM de sesión, y puede causar un registro incorrecto, mediante la invocación sudo con un ID de usuario creado. Por ejemplo, esto permite la omisión de la configuración root y el registro USER= para un comando "sudo -u \#$((0xffffffff))". • https://www.exploit-db.com/exploits/47502 https://github.com/n0w4n/CVE-2019-14287 https://github.com/shallvhack/Sudo-Security-Bypass-CVE-2019-14287 https://github.com/CMNatic/Dockerized-CVE-2019-14287 https://github.com/axax002/sudo-vulnerability-CVE-2019-14287 https://github.com/N3rdyN3xus/CVE-2019-14287 https://github.com/DewmiApsara/CVE-2019-14287 https://github.com/MariliaMeira/CVE-2019-14287 https://github.com/edsonjt81/CVE-2019-14287- https://github.com/SachinthaDeSilva-cmd& • CWE-267: Privilege Defined With Unsafe Actions CWE-755: Improper Handling of Exceptional Conditions •