Just putting some things together regarding the latest “sudo” exploit. If you haven't heard yet, there is a new exploit, which allows running commands as root in a particular configuration. More details: https://www.openwall.com/lists/oss-security/2019/10/14/1https://thehackernews.com/2019/10/linux-sudo-run-as-root-flaw.html … https://thehackernews.com/2019/10/linux-sudo-run-as-root-flaw.html … (1/4)
-
Show this thread
-
Omri Segev Moyal Retweeted Hector Martin
Although the exploit is pretty cool, the actual implementation of it in-the-wild is probably quite rare. A brief explanation: https://twitter.com/marcan42/status/1184134959268675584?s=19 … (2/4)
Omri Segev Moyal added,
Hector Martin @marcan42Can we please stop talking about that sudo bug? It only affects systems using an insane configuration (allow $command as anyone *but* root). I can't come up with any situation where that configuration makes any sense (vs e.g. "allow $command as any member of a given group).Show this thread1 reply 0 retweets 1 likeShow this thread -
Also, I have seen the miss-usage of
@MITREattack here. Instead of using "T1068 - Exploitation for Privilege Escalation", people mistake with "T1169 - Sudo". The mitigations and detection for each are quite different. (3/4)1 reply 0 retweets 1 likeShow this thread -
Finally, for hunters and blue teams, the following regexp can be used to query/monitor for traces of this exploit: '(?:-u#-1|-u#4294967295)' (4/4)
2 replies 0 retweets 3 likesShow this thread -
Also, quick test if potentially vulnerable would be to run the following command and see if "!root" is inside the sudoers file: $ cat /etc/sudoers | grep !root
1 reply 0 retweets 2 likesShow this thread
Note that if you use a construct with 'ALL, !root' (which is required to be vulnerable) then you're probably vulnerable *anyway* even when sudo is working as intended, unless you've somehow ascertained that there are zero escalation paths from every non-root user to root.
-
-
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.