SUDOERS Commented Code Includes Use for Evil

Thursday, May 31, 2012

Rob Fuller


I found a number of things interesting when reading the following post:

Too bad that nmap's interactive mode was taken out, but there are a great number of other such methods, most notably VI's shell mode. 

But when I started looking into appending or inserting lines into /etc/sudoers for CCDC, I happened upon an interesting function of that file. Near the end of the file there are two lines:

# See sudoers(5) for more information on "#include" directives:
#includedir /etc/sudoers.d

Both look commented out, but in actuality, exactly as-is the #includedir line is interpreted and acted upon. So any file that you put in the /etc/sudoers.d directory counts as an extension of the /etc/sudoers file.

Make a small edit to the default README file with a bunch of added # commented out lines copied directly from the sudo man page, with a


or www-data plus a webshell makes for easy re-exploitation

Just an evil way to stay hidden on a 'nix box… 


nmap --script <(echo "os.execute('/bin/sh')")

'nuf said…  (thanks @bonsaiviking )

Cross-posted from Room 362

Possibly Related Articles:
Information Security
Application Security Development Secure Coding Nmap Network Security exploit vulnerability SUDOERS
Post Rating I Like this!
mk MK
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.