On Linux systems, the sudo
command is commonly used as a prefix before running commands that require superuser privileges. By adding sudo
before any command, it enables the user to execute the command as a superuser, granting them elevated permissions. Essentially, this allows a user with appropriate privileges to execute a command as another user, such as the superuser, similar to the "run as administrator" option in Windows. A problem in the way sudo
implemented executing commands with arbitrary user IDs was discovered. If a sudoers item is created to let the attacker to perform a command as any user other than root, the attacker can use this issue to circumvent that restriction.
Execute Is my host protected against CVE-2019-14287?
in Operator on each host in your environment to test if you are vulnerable.
This chain will stage a Pneuma
shell script and run it with elevated privilges by exploiting CVE-2019-14287.
We recommend updating sudo
and it's utilities to the latest version. To ensure your sudoers configuration is not affected by this vulnerability, we recommend examining each sudoers entry that includes the ! character in the runas specification, to ensure that the root user is not among the exclusions. These can be found in the /etc/sudoers file or files under /etc/sudoers.d.
Thanks for reading our latest TTP Tuesday release! Please subscribe and reach out with any feedback. We love to hear from our community!
There are several ways to follow us and learn more about Prelude and our team members:
Download Prelude Operator: https://www.preludesecurity.com/products/operator
Try out Prelude Build: https://platform.preludesecurity.com/build
Try out Prelude Detect: https://www.preludesecurity.com/products/detect
See the latest kill chain and TTP Releases: https://chains.prelude.org
See our open-source repositories: https://github.com/preludeorg
Discord: https://discord.gg/gzUv4XNquu
Reddit: https://www.reddit.com/r/preludeorg/
Twitter: https://twitter.com/preludeorg
Listen to our Podcast: https://anchor.fm/preludeorg
Read our blog: https://www.preludesecurity.com/blog
Watch our live streams: https://www.twitch.tv/preludeorg
Watch our pre-recorded content: https://www.youtube.com/c/preludeorg
David: https://twitter.com/privateducky
Alex: https://twitter.com/khyberspache
Octavia: https://twitter.com/VVX7
Waseem: https://twitter.com/gerbsec
Robin: https://twitter.com/bfuzzy1