Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2010-0426 PoC — Sudo sudoedit命令本地权限提升漏洞

Source
https://github.com/t0kx/privesc-CVE-2010-0426
Associated Vulnerability
Title:Sudo sudoedit命令本地权限提升漏洞 (CVE-2010-0426)
Description:sudo 1.6.x before 1.6.9p21 and 1.7.x before 1.7.2p4, when a pseudo-command is enabled, permits a match between the name of the pseudo-command and the name of an executable file in an arbitrary directory, which allows local users to gain privileges via a crafted executable file, as demonstrated by a file named sudoedit in a user's home directory.
Description
Sudo 1.6.x <= 1.6.9p21 and 1.7.x <= 1.7.2p4 Local Privilege Escalation and vulnerable container
Readme
# Sudo 1.6.x<=1.6.9p21 and 1.7.x<=1.7.2p4 Local Privilege Escalation

Sudo (su "do") allows a system administrator to give certain users (or groups of users) the ability to run some (or all) commands as root while logging all commands and arguments.

## Vulnerable environment

To setup a vulnerable environment for your test you will need [Docker](https://docker.com) installed, and just run the following command:

    docker build -t privesc/cve-2010-0426 .
    docker run --rm -it privesc/cve-2010-0426

And it will spawn a interactive shell with low user privileges.

## Vulnerable code

The bug was found in sudoedit, which does not handle the 'sudoedit' command correctly, this allows a malicious user to replace the real sudoedit command with an arbitrary command.

Local attackers could exploit this issue to run arbitrary commands as the 'root' user. Successful exploits can completely compromise an affected computer.

## Exploit

To exploit this target just run:

    ./exploit.sh

If you are using this vulnerable image, you can just run:

	user@023b47ff82ca:~$ sudo -V
	Sudo version 1.7.2
	user@023b47ff82ca:~$ sudo -l
	User user may run the following commands on this host:
		(root) NOPASSWD: sudoedit /etc/fstab
	user@023b47ff82ca:~$ ./exploit.sh /etc/fstab
	[+] CVE-2010-0426 exploit by t0kx
	[+] Prepared sudoedit...
	[+] Run sudoedit
	root@023b47ff82ca:/tmp# id
	uid=0(root) gid=0(root) groups=0(root)
	root@023b47ff82ca:/tmp#


## Credits

This flaw was found by Slouching.

## Disclaimer

This or previous program is for Educational purpose **ONLY**. Do not use it without permission. The usual disclaimer applies, especially the fact that me (t0kx) is not liable for any damages caused by direct or indirect use of the information or functionality provided by these programs. The author or any Internet provider bears **NO** responsibility for content or misuse of these programs or any derivatives thereof. By using these programs you accept the fact that any damage (dataloss, system crash, system compromise, etc.) caused by the use of these programs is not t0kx's responsibility.
File Snapshot

 [4.0K]  /data/pocs/7d1519260681c51211131dd9e06a8cbcc0131cd7
├── [ 847]  Dockerfile
├── [ 538]  exploit.sh
├── [ 34K]  LICENSE
└── [2.1K]  README.md

0 directories, 4 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →