 Hello, how's it going everybody? This is a video on CVE 2019 14287 I'm here with my buddy Caleb because it's dangerous to go alone So this is a vulnerability regarding pseudo or the super user do command that you will typically often run and see on Linux to have some administrator privileges run things as root or as another user and This is in regards to the patch that came in version of 1.8 point two eight They got released today at the time of recording October 14, 2019 so It's interesting in that The flaw that you might see was you're working that vi sudo or editing etc. Sudoers that file there if you happen to note that you have the ability or the user that you're working with has the ability to run commands Is it as other users? Is that right? Yeah, so it's as all users not root It has to specifically have all in the user specification So in this syntax that they showcase they have my host here is kind of a prefix which I haven't seen the need for in mine But the username that you're working with and then in that run as segment that specifies what user They could be as long as all is in there for whatever case and then a command that they might be able to run or again All you could manipulate that when you use tack you or tack tack user to specify what use you're gonna run as you can Normally run as another user, but if it has maybe an exclusion for root as in don't let this user run as root You can abuse that if you were to specify Let's use a user ID value negative one or Let's see you said it's other What is it? Yeah, is that two's complement? Is that the thing that does that? I mean it's it's just like the It's two to the 32 minus one. It's the equivalent of negative one. Okay, just because it's wrapped around Yeah, yeah, yeah, that will actually return zero which will let you use that Root user identifier or user ID and then we could essentially run commands So so what John said there he says I'll be about returning zero What it's actually referring to which this the actual CV talks about but basically when they actually change the UID so pseudo uses the function set UID And probably a couple of the ones as well But that whole family of functions to change the user ID of the currently running process to a different user ID And it just passes whatever you give it as the user ID if you give it a number to that function So normally what would happen because it says all it doesn't check to make sure that that User actually exists. It just is gonna pass it on and if it doesn't exist Then set UID will fail and it will fail In the case of passing negative one the actual standard says that set UID will not fail It will return zero if you pass it negative one So what that happens is that it thinks it succeeded and it continues on and since pseudo itself was running as root The UID didn't change because that was a valid and it will just continue on and run your command as root So that's kind of cool a neat side effect that John was just highlighting there is that Because pseudo thinks it's that it succeeded all the logs will say that it ran as a UID of negative one or four point Two billion or whatever all the logs won't actually say root They'll say that other UID that you passed it. It's kind of an interesting side effect So this patch was supposed to be just dropped today for pseudo one point eight point two eight and I have not updated yet So let's go ahead and see if we can kind of recreate that and play with it If I were to check out the version of my pseudo and see I'm running one point eight point two seven So if I were to fire up the user, let's add What is it you want to use temp or something? We were just tinkering with us. We thought like hey, that'd be cool to just throw it in a little video So yeah, yeah, yeah, whatever. That's fine Now we can vice-sudo to edit our etc. Sewers and I was testing this with the user Doug So let's use temp and that specification was all right Yeah, so the actual CV it specifies in a weird syntax Yeah, normally host or the user is first and then host is second. So I don't know if that's There's something else. I'm missing okay, okay, so I'm looking case you're saying user temp space all so any host Equals and then that's Let's just use ID as an example. Does that work sure? Yeah, but not root in there. Oh, yes That's the whole point. Well, let's I guess showcase why that works It with a little temporary thing for those of you that are curious I'm just looking at Seclists org if you were to Google simply that CVE number you should be able to track it down and find some other articles or blogs Or stuff talking about it. So let me have this in a showcasing Syntax here just so we can understand why or what the vulnerability really does show it could do if that makes sense I'm not sure what you mean. Okay. Yeah. Yeah. Yeah. So if I were in a another user Let's switch to SU to temp. Yep And then we'll use this password. So now I am that temporary user if I were to just pseudo I could run anything right so ID. Well, you can specifically run ID as anyone. Yeah But other commands like who am I would not be able to execute So I could do that as any user that I particularly wanted to if I wanted to use that as John My account and I knew that I could do that without prompting for a password But if that situation were different Let's exit out Where I had vi studio and we were specifically excluding a route Let's say anyone except that root user can run the ID command That's nice and dandy. Let's switch to temp now So I could pseudo attack user John and then I could run ID just fine But I would not be able to use that as the root user obviously However with this vulnerability that we just understood we can specify a number Yep Tech you and that number sign there if we were to use negative one or that like 4.2 billion you said 4.2 We have something like that two to 32 minus one negative one We do end up running that as root So obviously we don't have as much privilege with that as we would have if in that vi pseudo We had a little bit more access and we could just run any command as all users We could finish your thought and then I had a question swap out Yeah, cool. All right. We'll do some Ice-breaking so as pseudo attack you negative one And now we should be able to run in bash and just get a root shell. You can see my prompt over there Yeah, cool. I have a question if you Say if you had instead of not root if you did like not John Would the same thing work? That's peculiar if it just says not John. Would you then also be able to run as root? I would assume. I think it will work. Yeah Then bash root Cool, it's kind of interesting thing. Although. I guess you would be able to run it as root at that point Right, right. Maybe it's another exclusive thought. Yeah, so I don't know how much Mileage you might get out of this. Maybe you won't particularly see that exact syntax in an incentive suit a worse file But if you ever do hey now, you know one potential Avenue. Yeah, you could take advantage of that width So let me go ahead and get rid of that temp user Before I accidentally give someone some unintentional access to my machine But you should as we kind of discuss go ahead and update to one point to one point eight point two eight as That is released and rolled out. So Some current events some cool stuff. Hope you guys enjoyed this video kind of quick small showcase But I hope you liked it. I'll see in the next video. Okay