Sudo配置不当的情况下,本地攻击者通过构造特殊命令,可以绕过Sudo限制以root身份在服务器上执行任意命令。漏洞实际利用场景为本地提权,风险较低。
漏洞描述:当/etc/sudoers 文件中存在 *=(ALL, *) 形式的配置时,本地攻击者可以通过指定用户ID为-1或者4294967295,从而以root权限在服务器上执行命令。
漏洞评级 CVE-2019-14287 低危
影响版本 Sudo < 1.2.28
安全建议 升级Sudo版本到 1.2.28
官方说明:
https://www.sudo.ws/alerts/minus_1_uid.html
sudo漏洞的判断:
$ sudo id
Sorry, user a is not allowed to execute '/bin/id' as root.
提权成功:
$ sudo -u#-1 id
uid=0(root) gid=0(root) groups=0(root)
sudo漏洞修复的效果:
$ sudo -u#-1 id -u
sudo: unknown user: #-1
sudo: unable to initialize policy plugin
下载最新1.8.28的官方包:
地址:https://www.sudo.ws/download.html
源码包二进制安装方法:
tar -xzvf sudo-1.8.28.tar.gz
cd sudo-1.8.28 && ./configure && make && make install
cp /usr/local/bin/sudo /usr/bin/sudo
centos7安装方法:
rpm -Uvh sudo-1.8.28-1.el7.x86_64.rpm
centos6安装方法:
rpm -Uvh sudo-1.8.28-1.el6.x86_64.rpm
ubuntu16安装方法:
dpkg --force-confdef -i sudo_1.8.28-1_ubu1604_amd64.deb
ubuntu18安装方法:
dpkg --force-confdef -i sudo_1.8.28-1_ubu1804_amd64.deb
ubuntu16的安装过程中会有交互,默认是不改变原来sudoer这个配置文件:
# dpkg -i sudo_1.8.28-1_ubu1604_amd64.deb
(Reading database ... 102664 files and directories currently installed.)
Preparing to unpack sudo_1.8.28-1_ubu1604_amd64.deb ...
Unpacking sudo (1.8.28-1) over (1.8.28-1) ...
dpkg: error processing archive --force-confdef (--install):
cannot access archive: No such file or directory
Setting up sudo (1.8.28-1) ...
Configuration file '/etc/sudoers'
==> Modified (by you or by a script) since installation.
==> Package distributor has shipped an updated version.
What would you like to do about it ? Your options are:
Y or I : install the package maintainer's version
N or O : keep your currently-installed version
D : show the differences between the versions
Z : start a shell to examine the situation
The default action is to keep your current version.
*** sudoers (Y/I/N/O/D/Z) [default=N] ?
如果想去掉提示,加--force-confdef选项:
# dpkg --force-confdef -i sudo_1.8.28-1_ubu1604_amd64.deb
(Reading database ... 166735 files and directories currently installed.)
Preparing to unpack sudo_1.8.28-1_ubu1604_amd64.deb ...
Unpacking sudo (1.8.28-1) over (1.8.16-0ubuntu1.5) ...
Setting up sudo (1.8.28-1) ...
Installing new version of config file /etc/pam.d/sudo ...
Configuration file '/etc/sudoers'
==> Modified (by you or by a script) since installation.
==> Package distributor has shipped an updated version.
==> Keeping old config file as default.
Processing triggers for man-db (2.7.5-1) ...
这样就直接安装完成了,没有提示。
如果出现报错:cpio: rename failed - Operation not permitted,说明系统文件被保护,需要暂时把文件的i属性去掉
chattr -i /usr/bin/sudo
chattr -i /usr/bin/sudoreplay
chattr -i /usr/sbin/visudo
安装完成后记得把i属性加回去:
chattr +i /usr/bin/sudo
chattr +i /usr/bin/sudoreplay
chattr +i /usr/sbin/visudo