BIPI
BIPI

Sudo Misconfiguration Exploitation: NOPASSWD, env_keep, and CVE Chains

Cybersecurity

A practical walkthrough of sudo misconfigurations that operators actually find in the wild, from lazy NOPASSWD entries to env_keep abuse and the CVE-2019-14287 user spoof.

By Arjun Raghavan, Security & Systems Lead, BIPI · March 8, 2025 · 9 min read

#linux#sudo#privesc#cve-2019-14287#pwnkit

sudo -l is the first command, always

Before you spelunk through SUID binaries or kernel CVEs, run sudo -l -n. The -n flag fails silently if a password is required, which is what you want. Many operators waste an hour on enumeration before noticing the user can already run ALL with NOPASSWD.

NOPASSWD with a wide command

  • (ALL) NOPASSWD: ALL is instant root via sudo su
  • (root) NOPASSWD: /usr/bin/vim, see GTFOBins for the :!/bin/sh escape
  • (root) NOPASSWD: /usr/bin/find /var/log/, abuse with -exec /bin/sh \;
  • (root) NOPASSWD: /bin/bash, no commentary needed
  • (root) NOPASSWD: /usr/bin/apt update, then apt with hook abuse

Wildcards and path traversal

A common misconfiguration is allowing sudo on a script via a wildcard, for example (root) NOPASSWD: /opt/scripts/*.sh. Drop a writable sh file in /opt/scripts or use path traversal in the argument to point at your own script.

env_keep abuse

  • Defaults env_keep += LD_PRELOAD lets you load a malicious shared object
  • Defaults env_keep += PYTHONPATH lets you hijack imports in any sudo python call
  • Defaults env_keep += BASH_ENV is a classic for bash script targets
  • Check /etc/sudoers and every file in /etc/sudoers.d for env_keep lines

CVE-2019-14287, the user ID minus one

On sudo before 1.8.28, when a sudoers entry allows running a command as any user except root, the runas check could be bypassed with sudo -u#-1 command. The kernel interpreted minus one as root. Old, but it still pops up on long lived servers and embedded systems.

CVE-2021-3156 Baron Samedit

Heap buffer overflow in sudo when parsing command line arguments in shell mode. Affects sudo 1.8.2 through 1.9.5p1. A local user with no sudo privileges at all can get root. Patched widely in early 2021 but unpatched embedded gear is still out there.

PwnKit, related but not sudo

CVE-2021-4034 in pkexec is technically Polkit, not sudo, but it gets bundled with sudo writeups because it is the same kind of local root. pkexec is SUID root on nearly every Linux distro. If the host is unpatched, this is your fastest path.

Detection and hardening

  • Audit sudoers with visudo -c and a config scanner like sudo-parser
  • Remove env_keep entries unless there is a documented reason
  • Replace wildcards in sudoers with explicit command paths
  • Patch sudo to the latest stable, pin via package holds on critical hosts
  • auditd rule on sudo execve with -u#-1 to catch CVE-2019-14287 attempts
Most sudo findings are not zero days, they are sudoers files that grew over five years and no one re reads.

Writeup tip

When you report a sudo finding, paste the exact sudoers line and the exact command you ran. Customers fix what they can copy paste into a ticket. Vague advice about least privilege gets closed as wontfix.

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.