A new vulnerability was discovered in the sudo utility which allows an unprivileged user to gain root privileges without authentication. CVE-2019-18634 is classified as Stack-based Buffer Overflow(CWE-121).

This flaw affects all Unix-like operating systems and is prevalent only when the pwfeedback’ option is enabled in the sudoers configuration file. pwfeedback provides visual feedback(* for every key press) when a user inputs the password.

An attacker can exploit this bug by triggering a stack-based buffer overflow. When sudo prompts for a password, a large input is passed to it via a pipe which can overflow the buffer to result in a Segmentation Fault. A user can also craft the input in such a way that root privileges can be obtained.

For example,

$ perl -e 'print(("A" x 100 . "\x{00}") x 50)' | sudo -S id

The advisory points out that there are two flaws which contribute to the vulnerability:

  • The pwfeedback option is not ignored when reading from somewhere other than the terminal. The line erase character remains at its initialized value of 0 due to the absence of the terminal.
  • The code responsible for erasing the line of asterisks resets the buffer length but fails to reset the buffer position if there is a write error. This allows getln() function to write past the end of the buffer causing a buffer overflow.

If we try to write to the read end of a unidirectional pipe, a write error is reported. A line is erased on write error, but the failure to correctly reset the remaining buffer length can be used to cause a stack-based buffer overflow.

How to check if you are vulnerable?

Users can check if pwfeedback is enabled by running the following command:
sudo -l

The sudoers configuration is affected if pwfeedback is listed in the “Matching Defaults entries” output.

Example output:

$ sudo -l
Matching Defaults entries for millert on linux-build:
insults, pwfeedback, mail_badpass, mailerpath=/usr/sbin/sendmail

User millert may run the following commands on linux-build:
(ALL : ALL) ALL

Affected Product

Sudo versions 1.7.1 to 1.8.25p1


Impact

An unprivileged user can escalate to the root account by overflowing the buffer.


Solution

The vendor has released an update to mitigate the vulnerability.

Please refer to this KB Article to apply the patches using SanerNow.


 

Subscribe For Latest Updates

Get the latest research, best practices, industry trends and cybersecurity blogs from SecPod security experts

Invalid email address
We promise not to spam you. You can unsubscribe at any time.
Summary
Go SUDO without a passoword
Article Name
Go SUDO without a passoword
Author
Publisher Name
SecPod Technologies
Publisher Logo

Leave a Reply

Your email address will not be published. Required fields are marked *