In this article we can read how Joe Vennix of Apple Information Security uncovered a security flaw on the sudo
command, that allows a malicious user or application to run any command as the root
user on a Linux system.
TLDR
The security policy vulnerability
The vulnerability in question is a sudo security policy bypass issue that could allow a malicious user or a program to execute arbitrary commands as root on a targeted Linux system even when the "sudoers configuration" explicitly disallows the root access.
How to exploit
What's more interesting is that this flaw can be exploited by an attacker to run commands as root just by specifying the user ID "-1" or "4294967295."
That's because the function which converts user id into its username incorrectly treats -1, or its unsigned equivalent 4294967295, as 0, which is always the user ID of root user.
Affected Sudo versions
The vulnerability affects all Sudo versions prior to the latest released version 1.8.28, which has been released today, a few hours ago and would soon be rolled out as an update by various Linux distributions to their users.
Conclusion
Never take security for granted, even the most important programs that are intended to secure your system may contain security vulnerabilities.
Always keep all your devices up to date, and by the way... What are you waiting for to update your Linux system?
Ok you can take the time to share this and give it a like, but after you must update your Linux system ;)
Top comments (1)
Elsewhere a user commented:
"
mjn avatar mjn edited 14 hours ago | link
Not good in principle, mostly because it seems pretty sloppy. In terms of impact, though, I would guess the vulnerable configuration is incredibly rare?
The privilege escalation scenario here is that you’ve given a user sudoers access to run commands as (ALL, !root), i.e. as any user except root. This bug lets them upgrade that into being able to run them as root, also. Is there any remotely common scenario where you would have that kind of sudoers setup? I can vaguely imagine something like that from old-school multiuser academic Unix servers, but even there it’d be a somewhat exotic setup (restricted sudoers there are typically restricted to specific users they can sudo to, like the apache user or something, or a prof being able to sudo to their students, but not to ALL, !root)."
lobste.rs/s/zirgzc/sudo_flaw_lets_...