https://thehackernews.com/2019/10/linux-sudo-run-as-root-flaw.html
Affected version of sudo:
And before
For this exploit to demonstrate I’ll make a new user on my box and name it temp
After setting the account up, let’s make sure it is restricted to run commands as root on the box. Test this by trying to execute `sudo -u root id`.
Sidenote: If the command succeeds then the configuration is not yet in place and the user has no restrictions on their sudo. for the exploit to be applicable we have to enable these restrictions. you can see config file more below
So as we can see here the temp user cannot run the id command as root.
Let’s see how this is defined in our sudo config file
By entering ‘visudo’ (run-as root!) we can edit the restrictions on sudo
‘temp ALL=(ALL, !root) ALL’ is the one we’re looking for.
this rule implies that temp user can run sudo as any user on the system except for root (defined by !root, means litteraly “NOT root”). the ‘ALL’ value at the end implies that every command can be sudo’d but again, not as the root user.
Let’s see some examples
So the first command shows us the user we are at that moment: ‘temp’
when we try to get that command ran elevated (as root) we get an error because we specified that in our rules.
Instead of specifying the run-as user with the name we can use -u#<id> to do so. now if we try an invalid ID for user we can bypass the rule on root user. that’s because root will always be ID 0 and if we take -1 or 4294967295 as ID then it returns a value 0 and thus root ID. this one bypasses the rule we applied and gets executed anyway. see screenshot above
now we can use that to turn a shell as normal user into root shell with only the password of user.
example given in next screen shot
And we got root rights. Simple as that
Pentesting with Rival 
Awesome post and great explanation! I enjoyed reading it. Good job!
LikeLiked by 1 person