A recently discovered vulnerability in the Sudo allows unprivileged users to run a command as root by specifying the user ID -1 or 4294967295. Sudo is one of the most powerful and commonly used utilities in all the Linux-based and UNIX Operating Systems. A vulnerability in that core utility has left everyone in utter confusion and frenzy.

Sudo stands for “superuser do” is a program for Unix-like computer operating systems that allows users to run programs with the security privileges of another user, by default the superuser.

The vulnerability affected the Sudo versions before 1.8.28 and the potential users to bypass the Run-as user restrictions.


By default on most Linux distributions, the ALL keyword in Run-As specification in “/etc/sudoers” file, as shown in the screenshot allows all users in the admin or sudo groups to run any command as any valid user on the system.

ubantu-sudo
ubantu-sudo

Hence until the privilage separation is performed with great detail all users in group can run any command as root.

But with this vulnerability now even those with no privalages can also bypass this security policy and take complete control over the system as root.

This can be used by a user with sufficient sudo privileges to run commands as root even if the Runas specification explicitly disallows root access as long as the ALL keyword is listed first in the Runas specification.

a Sudo developer

This vulnerability has been assigned CVE-2019-14287 in the Common Vulnerabilities and Exposures database.


To get more such interesting news in your mailbox subscribe to Theinformatica.com


Details

This vulnerability was discovered by Joe Vennix from Apple Information Security.

Exploiting the bug requires that the user have sudo privileges that allow them to run commands with an arbitrary user ID. Typically, this means that the user’s sudoers entry has the special value ALL in the Runas specifier.

Sudo supports running a command with a user-specified user name or user ID, if permitted by the sudoers policy. For example, the following sudoers entry allow the id command to be run as any user because it includes the ALL keyword in the Runas specifier.

    alice myhost = (ALL) /usr/bin/id

Not only is user is able to run the id command as any valid user, she is also able to run it as an arbitrary user ID by using the #uid syntax, for example:

    sudo -u#1234 id -u

would return 1234. However, the setresuid(2) and setreuid(2) system calls, which sudo uses to change the user ID before running the command, treat user ID -1 (or its unsigned equivalent 4294967295), specially and do not change the user ID for this value. As a result,

    sudo -u#-1 id -u

or

    sudo -u#4294967295 id -u

will actually return 0. This is because the sudo command itself is already running as user ID 0 so when sudo tries to change to user ID -1, no change occurs.

This results in sudo log entries that report the command as being run by user ID 4294967295 and not root (or user ID 0). Additionally, because the user ID specified via the -u option does not exist in the password database, no PAM session modules will be run.

If a sudoers entry is written to allow the user to run a command as any user except root, the bug can be used to avoid this restriction. For example, given the following sudoers entry:

    bob myhost = (ALL, !root) /usr/bin/vi

User bob is allowed to run vi as any user but root. However, due to the bug, bob is actually able to run vi as root by running sudo -u#-1 vi, violating the security policy.

Only sudoers entries where the ALL keyword is present in the Runas specifier are affected. For example, the following sudoers entry is unaffected:

    alice myhost = /usr/bin/id

In this example, alice is only allowed to run the id command as root. Any attempt to run the command as a different user will be denied.

What’s more concerning is that sudo is used by most of the users for changing their passwords and due to this vulnerability the systems were at great risk of getting jacked. Until this issue was resolved in the net release sudo 1.8.28, which was released shortly after the bug was found on 14th October 2019.

If you are Linux user its highly recommended that you update your distro.

In the underworld, reality itself has elastic properties and is capable of being stretched into different definitions
of the truth.

Roderick Vincent, The Cause

Editorial Team
editor.theinformatica@gmail.com

2 thoughts on “Vulnerability in Sudo, even the Restricted users can run commands as Root”

Leave a Reply