sudoedit

Sudo 1.6.x<=1.6.9p21 and 1.7.x<=1.7.2p4 Local Privilege Escalation

if you can execute sudoedit as a root user, you maybe able to escalate privileges.

check the sudo version

sudo -V

GitHub - t0kx/privesc-CVE-2010-0426: Sudo 1.6.x <= 1.6.9p21 and 1.7.x <= 1.7.2p4 Local Privilege Escalation and vulnerable containerGitHub

make sure to check the version. depending on the version the bash script exploit won't work.

Sudo 1.8.14 (RHEL 5/6/7 / Ubuntu) - 'Sudoedit' Unauthorized Privilege EscalationExploit Database

For example, let's say that the sudo -l shows the following output.

ALL=(root) NOPASSWD: sudoedit /var/www/html/current_user/examples/*/*/page.html

And we have a writable access within "/var/www/html/current_user/examples/tmp/" directory as a current logged on user. This means we just need to create another directory under tmp

Here's the example of what we can do in this situation.

/var/www/html/current_user/examples/tmp/newdir/

Now with this newly created path, we should be able to view and edit files with sudoedit, since we will have the sudo power. One thing we could do is to edit the /etc/passwd file and add a user with root privilege.

To do this, we can first create a symbolic link to connect page.html and /etc/passwd.

ln -s /etc/passwd page.html

This creates a file within the current directory called page.html and softlink it to /etc/passwd, which means page.html can access /etc/passwd data bits!

Now let's edit the page.html so that we can manipulate /etc/passwd.

sudoedit /var/www/html/current_user/examples/tmp/newdir/page.html
#if it asks for a password, you may not be in the writable directory or 
you didn't follow the sudo -l rule.

Previoussudo -l wins!Nextno_root_squash!

Last updated 2 years ago