Serious flaw that lurked in sudo for 9 years hands over root privileges

An excerpt from the xkcd comic strip parodies sudo.

Sudo, a utility found in dozens of Unix-like operating systems, has received a patch for a potentially serious bug that allows unprivileged users to easily obtain unfettered root privileges on vulnerable systems.

The vulnerability, tracked as CVE-2019-18634, is the result of a stack-based buffer-overflow bug found in versions 1.7.1 through 1.8.25p1. It can be triggered only when either an administrator or a downstream OS, such as Linux Mint and Elementary OS, has enabled an option known as pwfeedback. With pwfeedback turned on, the vulnerability can be exploited even by users who aren’t listed in sudoers, a file that contains rules that users must follow when using the sudo command.

Sudo is a powerful utility that’s included in most if not all Unix- and Linux-based OSes. It lets administrators allow specific individuals or groups to run commands or applications with higher-than-usual system privileges. Both Apple’s macOS and Debian distributions of Linux received updates last week. People using other OSes should check their configurations and version numbers to ensure they’re not vulnerable.

No sudo permissions required

“Exploiting the bug does not require sudo permissions, merely that pwfeedback be enabled,” an advisory published by sudo developers said. “The bug can be reproduced by passing a large input to sudo via a pipe when it prompts for a password. An example of exploit code is:

 $ perl -e 'print(("A" x 100 . "\x{00}") x 50)' | sudo -S id Password: Segmentation fault

The advisory lists two flaws that lead to the vulnerability. The first: pwfeedback isn’t ignored as it should be when reading from something other than a terminal. As a result, the saved version of a line erase character remains at its initialized value of 0. The second contributor is that the code that erases the line of asterisks doesn’t properly reset the buffer position if there is an error writing data. Instead, the code resets only the remaining buffer length.

As a result, input can write past the end of the buffers. Systems with unidirectional pipe allow an attempt to write to the read end of the pipe to result in a write error. Because the remaining buffer length isn’t reset correctly when write errors result from line erasures, the stack buffer can be overflowed.

“If pwfeedback is enabled in sudoers, the stack overflow may allow unprivileged users to escalate to the root account,” the advisory stated. “Because the attacker has complete control of the data used to overflow the buffer, there is a high likelihood of exploitability.

The sudo version history shows that the vulnerability was introduced in 2009 and remained active until 2018, with the release of 1.8.26b1. Systems or software using a vulnerable version should move to version 1.8.31 as soon as practical. Those who can’t update right away can prevent exploits by making sure pwfeedback is disabled. To check its status, run:

 sudo -l

If pwfeedback is listed in the outputted “Matching Defaults entries,” the sudoers configuration is vulnerable on affected sudo versions. The following is an example of output that indicates a vulnerable sudo configuration:

 $ sudo -l Matching Defaults entries for millert on linux-build: insults, pwfeedback, mail_badpass, mailerpath=/usr/sbin/sendmail User millert may run the following commands on linux-build: (ALL : ALL) ALL

Disabling pwfeedback involves using the visudo command to edit the sudoers file and adding an exclamation point so that

Defaults pwfeedback

Becomes:

Defaults !pwfeedback

The vulnerability was reported by Joe Vennix from Apple’s information security group.

Similar Posts: