#!/bin/bash
sudoMinVersionCheck=1.7.1
sudoMaxVersionCheck=1.8.30
sudoVersion=$(sudo --version | awk '/Sudo version/ {print $3}')
sudoPWFeedbackEnabled=$(sudo -l | grep "pwfeedback")
# This script uses code derived from the following Stack Overflow post:
#https://stackoverflow.com/questions/4023830/how-to-compare-two-strings-in-dot-separated-version-format-in-bash
vercomp () {
if [[ $1 == $2 ]]
then
return 0
fi
local IFS=.
local i ver1=($1) ver2=($2)
# fill empty fields in ver1 with zeros
for ((i=${#ver1[@]}; i<${#ver2[@]}; i++))
do
ver1[i]=0
done
for ((i=0; i<${#ver1[@]}; i++))
do
if [[ -z ${ver2[i]} ]]
then
# fill empty fields in ver2 with zeros
ver2[i]=0
fi
if ((10#${ver1[i]} > 10#${ver2[i]}))
then
return 1
fi
if ((10#${ver1[i]} < 10#${ver2[i]}))
then
return 2
fi
done
return 0
}
testvercomp () {
vercomp $1 $2
case $? in
0) op='=';;
1) op='>';;
2) op='<';;
esac
if [[ $op != $3 ]]
then
sudoVersionVulnerable=1
fi
}
testvercomp $sudoVersion $sudoMinVersionCheck '>'
testvercomp $sudoVersion $sudoMinVersionCheck '='
testvercomp $sudoVersion $sudoMaxVersionCheck '<'
testvercomp $sudoVersion $sudoMaxVersionCheck '='
echo "Checking machine for Sudo Vulnerability (CVE-2019-18634)"
echo "Sudo may be vulnerable if version between $sudoMinVersionCheck and $sudoMaxVersionCheck"
if [[ -n "$sudoVersionVulnerable" ]]
then
echo "Sudo version found is $sudoVersion, which MAY make this computer VULNERABLE."
else
echo "Sudo version found is $sudoVersion, which is GOOD in this case."
fi
if [[ -n "$sudoPWFeedbackEnabled" ]]
then
echo -e "Sudo PWFeedback is ENABLED, which MAY make this computer VULNERABLE.\n"
else
echo -e "Sudo PWFeedback is NOT ENABLED, which is GOOD in this case.\n"
fi
if [[ -n "$sudoVersionVulnerable" ]] && [[ -n "$sudoPWFeedbackEnabled" ]]
then
echo "Vulnerable"
else
echo "Not Vulnerable"
fi