Any Unprivileged User Can Gain Root Privileges On A Linux System Using A Default Sudo Configuration
The research team of Qualys, recently found a vulnerability in sudo, dubbed as the heap overflow vulnerability. Sudo is an omnipresent and powerful open-source utility that is mainly utilized on operating systems like Unix and Linux.
This vulnerability has been registered as CVE-2021-3156. Exploiting this vulnerability can allow any unauthorized user, without any permissions, to gain access to root privileges by utilizing a default sudo configuration on any vulnerable host.
Sudo is a utility that is available in almost all Unix and Linux operating systems and it mainly permits a user to execute programs/codes with security advantages of a different user. The examination of the vulnerability revealed that it has been there for 10 years and was hidden in plain sight.
The details in a blog post from Qualys read that “the vulnerability itself has been hiding in plain sight for nearly 10 years. It was introduced in July 2011 (commit 8255ed69) and affects all legacy versions from 1.8.2 to 1.8.31p2 and all stable versions from 1.9.0 to 1.9.5p1 in their default configuration.” The vulnerability is also called the Baron Samedit. Researchers from Qualys claim that they lonely validated the vulnerability and were also able to create its different versions to gain complete access of root privileges over Debian 10 (sudo 1.8.27), Ubuntu 20.02 (sudo 1.8.31), and Fedora 33 (sudo 1.9.2).
Researchers said, “Other operating systems and distributions are also likely to be exploitable.” Also claiming that “As soon as the Qualys research team confirmed the vulnerability, Qualys engaged in responsible vulnerability disclosure and coordinated with sudo’s author and open source distributions to announce the vulnerability.”
Todd C. Miller, who is the principal author and maintainer of the sudo, in a post, explained that “when sudo runs a command in shell mode, either via the -s or -i command-line option, it escapes special characters in the command’s arguments with a backslash. The sudoers policy plugin will then remove the escape characters from the arguments before evaluating the sudoers policy (which doesn’t expect the escape characters) if the command is being run in shell mode. A bug in the code that removes the escape characters will read beyond the last character of a string if it ends with an unescaped backslash character. Under normal circumstances, this bug would be harmless since sudo has escaped all the backslashes in the command’s arguments. However, due to a different bug, this time in the command-line parsing code, it is possible to run sudoedit with either the -s or -i options, setting a flag that indicates shell mode is enabled. Because a command is not actually being run, sudo does notescape special characters. Finally, the code that decides whether to remove the escape characters did not check whether a command is actually being run, just that the shell flag is set. This inconsistency is what makes the bug exploitable.”
Even though this vulnerability only allows the elevation of privileges and does not allow RCE (Remote Code Execution), it still could be utilized by the attacker to compromise vulnerable systems. However, the bug has now been fixed in sudo version 1.9.5p2. Researchers from Qualys suggest “given the breadth of the attack surface for this vulnerability, Qualys recommends users apply patches for this vulnerability immediately.”