Of Stack

Linux sudo Vulnerability May Lead to Unauthorized Privileged Access

  • 2021-07-06 12:21:28
  • OfStack

Exploitation of the newly discovered sudo vulnerability in Linux can allow some users to run commands as root, although there are limitations to this.

A serious vulnerability has recently been discovered in the sudo command, which, if exploited, allows ordinary users to run commands as root, even in the /etc/sudoers This user is explicitly prohibited from doing so in the file.

Updating sudo to version 1.8. 28 should solve this problem, so it is recommended that Linux administrators do so as soon as possible.

How to exploit this vulnerability depends on /etc/sudoers Specifies the specific permissions granted in. For example, a rule that allows a user to edit a file as any user other than an root user will actually allow that user to edit the file as an root user as well. In this case, the vulnerability may cause very serious problems.

In order for users to be able to exploit this vulnerability, they need to /etc/sudoers To allow the user to run commands as another user, and the vulnerability is limited to command privileges assigned in this manner.

This issue affects versions prior to 1.8. 28. To check your version of sudo, use the following command: 


$ sudo -V
Sudo version 1.8.27   <===
Sudoers policy plugin version 1.8.27
Sudoers file grammar version 46
Sudoers I/O plugin version 1.8.27

The vulnerability has been assigned the number CVE-2019-14287 in the CVE database. Its risk is that any user who is specified to run a command as any user, even if it is explicitly prohibited from running as root, can escape the restriction.

The following lines allow jdoe to edit files using vi as a user other than root (! root means "non-root") and nemo has the right to run the id command for any user other than root: 


# affected entries on host "dragonfly"
jdoe dragonfly = (ALL, !root) /usr/bin/vi
nemo dragonfly = (ALL, !root) /usr/bin/id

However, due to a vulnerability, these users can either bypass restrictions and edit files as root or run id commands as root users.

An attacker can run commands as root by specifying the user ID as-1 or 4294967295.

sudo -u#-1 id -u

Or

sudo -u#4294967295 id -u

A response of 1 indicates that the command is running as root (showing the user ID of root).

Joe Vennix of Apple's information security team found and analyzed the problem.

Summarize

Related articles: