DEV Community

Cover image for Sudo Flaw Lets Linux Users Run Commands As Root Even When They're Restricted
Paulo Renato
Paulo Renato

Posted on

Sudo Flaw Lets Linux Users Run Commands As Root Even When They're Restricted

In this article we can read how Joe Vennix of Apple Information Security uncovered a security flaw on the sudo command, that allows a malicious user or application to run any command as the root user on a Linux system.

TLDR

The security policy vulnerability

The vulnerability in question is a sudo security policy bypass issue that could allow a malicious user or a program to execute arbitrary commands as root on a targeted Linux system even when the "sudoers configuration" explicitly disallows the root access.

How to exploit

What's more interesting is that this flaw can be exploited by an attacker to run commands as root just by specifying the user ID "-1" or "4294967295."

That's because the function which converts user id into its username incorrectly treats -1, or its unsigned equivalent 4294967295, as 0, which is always the user ID of root user.

Affected Sudo versions

The vulnerability affects all Sudo versions prior to the latest released version 1.8.28, which has been released today, a few hours ago and would soon be rolled out as an update by various Linux distributions to their users.

Conclusion

Never take security for granted, even the most important programs that are intended to secure your system may contain security vulnerabilities.

Always keep all your devices up to date, and by the way... What are you waiting for to update your Linux system?

Ok you can take the time to share this and give it a like, but after you must update your Linux system ;)

Top comments (1)

Collapse
 
sjerpatabix profile image
Sjerp van Wouden

Elsewhere a user commented:
"
mjn avatar mjn edited 14 hours ago | link

Not good in principle, mostly because it seems pretty sloppy. In terms of impact, though, I would guess the vulnerable configuration is incredibly rare?

The privilege escalation scenario here is that you’ve given a user sudoers access to run commands as (ALL, !root), i.e. as any user except root. This bug lets them upgrade that into being able to run them as root, also. Is there any remotely common scenario where you would have that kind of sudoers setup? I can vaguely imagine something like that from old-school multiuser academic Unix servers, but even there it’d be a somewhat exotic setup (restricted sudoers there are typically restricted to specific users they can sudo to, like the apache user or something, or a prof being able to sudo to their students, but not to ALL, !root)."
lobste.rs/s/zirgzc/sudo_flaw_lets_...