Joe Vennix - Security Researcher - Exploit Intelligence Platform

CVE-2019-18634 NOMISEC HIGH WORKING POC

Sudo <1.8.26 - Buffer Overflow

In Sudo before 1.8.26, if pwfeedback is enabled in /etc/sudoers, users can trigger a stack-based buffer overflow in the privileged sudo process. (pwfeedback is a default setting in Linux Mint and elementary OS; however, it is NOT the default for upstream and many other packages, and would exist only if enabled by an administrator.) The attacker needs to deliver a long string to the stdin of getln() in tgetpass.c.

58 stars

CVSS 7.8

View Code

CVE-2019-14287 NOMISEC HIGH WORKING POC

Sudo <1.8.28 - Privilege Escalation

In Sudo before 1.8.28, an attacker with access to a Runas ALL sudoer account can bypass certain policy blacklists and session PAM modules, and can cause incorrect logging, by invoking sudo with a crafted user ID. For example, this allows bypass of !root configuration, and USER= logging, for a "sudo -u \#$((0xffffffff))" command.

1 stars

CVSS 8.8

View Code

CVE-2019-14287 EXPLOITDB HIGH python WORKING POC

Sudo <1.8.28 - Privilege Escalation

In Sudo before 1.8.28, an attacker with access to a Runas ALL sudoer account can bypass certain policy blacklists and session PAM modules, and can cause incorrect logging, by invoking sudo with a crafted user ID. For example, this allows bypass of !root configuration, and USER= logging, for a "sudo -u \#$((0xffffffff))" command.

CVSS 8.8

View Code

CVE-2019-18634 EXPLOITDB HIGH text WORKING POC

Sudo <1.8.26 - Buffer Overflow

In Sudo before 1.8.26, if pwfeedback is enabled in /etc/sudoers, users can trigger a stack-based buffer overflow in the privileged sudo process. (pwfeedback is a default setting in Linux Mint and elementary OS; however, it is NOT the default for upstream and many other packages, and would exist only if enabled by an administrator.) The attacker needs to deliver a long string to the stdin of getln() in tgetpass.c.

CVSS 7.8

View Code