verify-vm: per-module provisioner hook + old-mainline URL fallback
Adds tools/verify-vm/provisioners/<module>.sh hook so per-module setup
(build vulnerable sudo from source, drop polkit allow rule, add sudoers
grant) lives in checked-in scripts rather than manual VM steps. Vagrantfile
runs the script as root before build-and-verify if it exists.
Also fixes mainline kernel fetch to fall back from /v${KVER}/amd64/ to
/v${KVER}/ for old kernels (≤ ~4.15) where debs aren't under the amd64
subdir, and accepts both 'linux-image-' (old) and 'linux-image-unsigned-'
(new) deb names.
Wires up 4 previously-deferred targets to expect VULNERABLE:
- sudo_chwoot: builds sudo 1.9.16p1 from upstream into /usr/local
- udisks_libblockdev: installs udisks2 + polkit rule for vagrant user
- mutagen_astronomy: pins mainline 4.14.70 (one below the .71 fix)
- sudo_runas_neg1: adds (ALL,!root) sudoers grant
This commit is contained in:
Executable
+34
@@ -0,0 +1,34 @@
|
||||
#!/usr/bin/env bash
|
||||
# CVE-2025-32463 sudo --chroot NSS injection (Stratascale). Vulnerable
|
||||
# range is sudo [1.9.14, 1.9.17p0]. Ubuntu 22.04 ships 1.9.9 which
|
||||
# PREDATES the --chroot code path. Build sudo 1.9.16p1 from upstream
|
||||
# and install to /usr/local (which precedes /usr/bin in Ubuntu's default
|
||||
# PATH so plain `sudo` resolves to the vulnerable binary).
|
||||
set -e
|
||||
|
||||
export DEBIAN_FRONTEND=noninteractive
|
||||
apt-get install -y -qq libpam0g-dev libssl-dev wget make gcc >/dev/null
|
||||
|
||||
cd /tmp
|
||||
TARBALL=sudo-1.9.16p1.tar.gz
|
||||
URL="https://www.sudo.ws/dist/${TARBALL}"
|
||||
|
||||
if [ -x /usr/local/bin/sudo ] && /usr/local/bin/sudo --version 2>&1 | head -1 | grep -q "1.9.16p1"; then
|
||||
echo "[=] sudo 1.9.16p1 already at /usr/local/bin/sudo"
|
||||
else
|
||||
[ -f "${TARBALL}" ] || wget -q "${URL}"
|
||||
rm -rf sudo-1.9.16p1
|
||||
tar xzf "${TARBALL}"
|
||||
cd sudo-1.9.16p1
|
||||
# --sysconfdir=/etc so it honors the existing /etc/sudoers (vagrant's
|
||||
# NOPASSWD grant). --disable-shared keeps the build self-contained.
|
||||
./configure --prefix=/usr/local --sysconfdir=/etc \
|
||||
--disable-shared --quiet >/dev/null 2>&1
|
||||
make -j"$(nproc)" >/tmp/sudo-build.log 2>&1 || { tail -40 /tmp/sudo-build.log; exit 1; }
|
||||
make install >/tmp/sudo-install.log 2>&1 || { tail -40 /tmp/sudo-install.log; exit 1; }
|
||||
fi
|
||||
|
||||
# Verify what the unprivileged user's PATH resolves to.
|
||||
echo "[+] which sudo (root): $(which sudo)"
|
||||
echo "[+] /usr/local/bin/sudo version: $(/usr/local/bin/sudo --version | head -1)"
|
||||
sudo -u vagrant bash -c 'echo "[+] vagrant PATH: $PATH"; echo "[+] vagrant sees: $(which sudo)"; sudo --version | head -1'
|
||||
+16
@@ -0,0 +1,16 @@
|
||||
#!/usr/bin/env bash
|
||||
# CVE-2019-14287 needs a (ALL,!root) grant for find_runas_blacklist_grant()
|
||||
# to fire. Ubuntu 18.04 ships sudo 1.8.21p2 (in the vulnerable range) but
|
||||
# Vagrant's default sudoers doesn't include the grant. Add it.
|
||||
set -e
|
||||
|
||||
cat >/etc/sudoers.d/99-skk-runas-neg1 <<'EOF'
|
||||
vagrant ALL=(ALL,!root) NOPASSWD: /bin/vi
|
||||
EOF
|
||||
chmod 0440 /etc/sudoers.d/99-skk-runas-neg1
|
||||
|
||||
echo "[+] sudoers grant installed:"
|
||||
grep . /etc/sudoers.d/99-skk-runas-neg1
|
||||
echo
|
||||
echo "[+] sudo -ln -U vagrant tail:"
|
||||
sudo -ln -U vagrant 2>&1 | tail -10 || true
|
||||
+34
@@ -0,0 +1,34 @@
|
||||
#!/usr/bin/env bash
|
||||
# CVE-2025-6019 udisks/libblockdev SUID-on-mount (Qualys). Debian 12's
|
||||
# cloud image is server-oriented and doesn't ship udisks2. Install it,
|
||||
# and drop a polkit rule allowing the vagrant user to invoke the
|
||||
# affected action.ids — the real-world bug-path is "active console
|
||||
# user invokes loop-setup", and we don't have a graphical session in
|
||||
# Vagrant. The polkit rule simulates the trust polkit would give a
|
||||
# logged-in workstation user.
|
||||
set -e
|
||||
|
||||
export DEBIAN_FRONTEND=noninteractive
|
||||
apt-get install -y -qq udisks2 libblockdev-utils3 >/dev/null
|
||||
|
||||
mkdir -p /etc/polkit-1/rules.d
|
||||
cat >/etc/polkit-1/rules.d/49-skk-verify.rules <<'EOF'
|
||||
polkit.addRule(function(action, subject) {
|
||||
if (subject.user == "vagrant" &&
|
||||
(action.id == "org.freedesktop.UDisks2.loop-setup" ||
|
||||
action.id == "org.freedesktop.UDisks2.filesystem-mount" ||
|
||||
action.id == "org.freedesktop.UDisks2.filesystem-mount-other-seat" ||
|
||||
action.id == "org.freedesktop.UDisks2.modify-device")) {
|
||||
return polkit.Result.YES;
|
||||
}
|
||||
});
|
||||
EOF
|
||||
|
||||
systemctl enable udisks2.service >/dev/null 2>&1 || true
|
||||
systemctl restart udisks2.service
|
||||
sleep 2
|
||||
|
||||
echo "[+] udisks2 status:"
|
||||
systemctl is-active udisks2.service
|
||||
echo "[+] udisks2 version: $(dpkg-query -W -f='${Version}' udisks2)"
|
||||
echo "[+] libblockdev version: $(dpkg-query -W -f='${Version}' libblockdev-utils3 2>/dev/null || dpkg-query -W -f='${Version}' libblockdev-utils2)"
|
||||
Reference in New Issue
Block a user