Sudo Flaw Lets Linux Users Run Commands As Root Even When They're Restricted

DDE_Server

Level 22
Thread author
Verified
Top Poster
Well-known
Sep 5, 2017
1,168
Attention Linux Users!

A vulnerability has been discovered in Sudo—one of the most important, powerful, and commonly used utilities that comes as a core command installed on almost every UNIX and Linux-based operating system.

The vulnerability in question is a sudo security policy bypass issue that could allow a malicious user or a program to execute arbitrary commands as root on a targeted Linux system even when the "sudoers configuration" explicitly disallows the root access.

Sudo, stands for "superuser do," is a system command that allows a user to run applications or commands with the privileges of a different user without switching environments—most often, for running commands as the root user.

By default on most Linux distributions, the ALL keyword in RunAs specification in /etc/sudoers file, as shown in the screenshot, allows all users in the admin or sudo groups to run any command as any valid user on the system.

However, since privilege separation is one of the fundamental security paradigms in Linux, administrators can configure a sudoers file to define which users can run what commands as to which users.

So, even if a user has been restricted to run a specific, or any, command as root, the vulnerability could allow the user to bypass this security policy and take complete control over the system.

"This can be used by a user with sufficient sudo privileges to run commands as root even if the Runas specification explicitly disallows root access as long as the ALL keyword is listed first in the Runas specification," the Sudo developers say.

How to Exploit this Bug? Just Sudo User ID -1 or 4294967295

The vulnerability, tracked as CVE-2019-14287 and discovered by Joe Vennix of Apple Information Security, is more concerning because the sudo utility has been designed to let users use their own login password to execute commands as a different user without requiring their password.

What's more interesting is that this flaw can be exploited by an attacker to run commands as root just by specifying the user ID "-1" or "4294967295."

That's because the function which converts user id into its username incorrectly treats -1, or its unsigned equivalent 4294967295, as 0, which is always the user ID of root user.

"Additionally, because the user ID specified via the -u option does not exist in the password database, no PAM session modules will be run."

The vulnerability affects all Sudo versions prior to the latest released version 1.8.28, which has been released today, a few hours ago and would soon be rolled out as an update by various Linux distributions to their users.

So, if you use Linux, you are highly recommended to update sudo package manually to the latest version as soon as it is available
 
Last edited by a moderator:

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
The attack is only possible on a system that has been configured in a very stupid way that no normal person would do:
 
Last edited:

AlanOstaszewski

Level 16
Verified
Top Poster
Malware Hunter
Jul 27, 2017
775
The attack is only possible on a system that has been configured in a very stupid way that no normal person would do:

Thanks for linking this article! A hacker would also probably first need sudo privileges or even physical access to a machine to exploit this flaw.
 
L

Local Host

I actually knew about this one for over a decade, I was always able to do whatever I wanted in restricted machines (even though it requires mostly physical access it also works with remote access, is a huge security risk).

I'm surprised they took this long to figure out such a basic exploit, I took not even 5 min. to find out, when I was on a restricted Linux machine.

Windows XP also has similar exploits, that were long patched with Windows Vista.
 

Lenny_Fox

Level 22
Verified
Top Poster
Well-known
Oct 1, 2019
1,120
I actually knew about this one for over a decade, I was always able to do whatever I wanted in restricted machines (even though it requires mostly physical access it also works with remote access, is a huge security risk).


ZD_ Net said:
Sudo must be configured to allow a user to run commands as an arbitrary user via the ALL keyword in a Runas specification.
The last has always been a stupid idea. In all my decades of working with Linux and Unix, I have never known anyone to set up sudo with ALL.

I know one now Local Host :emoji_sob:
 
Last edited:

Lenny_Fox

Level 22
Verified
Top Poster
Well-known
Oct 1, 2019
1,120
:emoji_sob: explanation for Windows users

What is so funny about Local Host's claim of brilliance (he knew it already for 10 years and it took him only 5 minutes to figure it out) is that the author of ZD-Net article (Steven J. Vaughan-Nichols) explains that you have to enable something really stupid to make it work.
 

upnorth

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Jul 27, 2015
5,454
If a found/discovered and reported and then even officially acknowledged vulnerability is actually stupid, useless or pointless, it wouldn't be called a vulnerability in the first place. Food for thoughts one can wish.

This specific reported one is now patched in Sudo version 1.8.28 and above. Also very kind and friendly confirmed by @bribon77 . :emoji_clap::emoji_beer:
 
L

Local Host

:emoji_sob: explanation for Windows users

What is so funny about Local Host's claim of brilliance (he knew it already for 10 years and it took him only 5 minutes to figure it out) is that the author of ZD-Net article (Steven J. Vaughan-Nichols) explains that you have to enable something really stupid to make it work.
You actually don't need to configure anything to make the exploit work, you can get root access on Linux without the proper password, with local access you can go as far as removing/changing the password (then again with local access, you can do the same to any other system).

As said before on Windows XP, you could easily bypass the login screen entirely, to enter the system with full rights (this was patched since Windows Vista).
 
F

ForgottenSeer 72227

Once again the proof that nothing is safe, only the user, by making smart decisions, may save his own skin.

Agreed.

Linux and Mac OS have done somethings better than Windows over the years in terms of security, but they aren't impenetrable and they aren't "free" of security holes that some seem to think they are. Hackers are becoming more skilled eaxh day. The main reason as to why Linux and Mac OS have remained in the "better at security", is due to the fact that their marketshare is tiny compared to Windows. Their security benefit really has to do with them flying under the radar, more so than them being better at security persay.

Also just because linux is open source, it doesn't mean that it cannot have security holes left unchecked. There's a poor assumption that all opensource programs are being reviewed by security experts 100% of the time. I don't think that's necessarily the case and I don't think that people should assume that someone is always looking at it to find security holes.

The vulnerabilities are in all systems, the only thing is that hackers pass of Linux.
why? Because it is harder to hack, and they only use it 2% and do not find it attractive.:)

I don't thinks necessarily harder to hack Linux, but more so that hackers don't care, as the market share is quite low compared to Windows.;)
 

Lenny_Fox

Level 22
Verified
Top Poster
Well-known
Oct 1, 2019
1,120
Linux a small market share? On Desktop it is just below 2%, but what about Android that is based on Linux, Same goes for iOS and the majority of the servers used for internet et cetera are running Linux :confused:

Besides having a marginal market share on desktop there are also many distro's, so it probably is not worth the manpower effort and cost to find vulnabilities which can be exploited predictably.

Therefor it feels so lonely on Linux, that I sometimes surf to VX-Vault hoping Sophos free will catch a Windows malware.

1571346762614.png


Using Linux on my desktop and joining a security forum (like MalwareTips) is like going to a tripple A meeting while having never drank a drop of alcohol in your life.

. . . Hi my name is Lenny and I have been sober (never infected) in my digital life, since I am running Linux :cool:
 
Last edited:

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top