Recientemente a vulnerability was disclosed in the sudo utility (used to organize granting administration rights to a single program or the execution of commands on behalf of other users) cataloged as “CVE-2019-18634", that allows you to increase your privileges on the system for the root user.
The problem was detected since the release of sudo version 1.7.1 up to version 1.8.29 which can be exploited only when using the "pwfeedback" option in the / etc / sudoers file, which is disabled by default, in later versions of sudo, but it is activated in some distributions such as Linux Mint and Elementary OS.
The "pwfeedback" option allows the display of the "*" character after each character entered when entering the password.
Due to an error in the implementation of the getln () function defined in the tgetpass.c file, under a standard input sequence (stdin), too long a line with a password may not fit in the allocated buffer and overwrite other data on the stack. The overflow occurs when running sudo code with root privileges.
The essence of the problem is that when it is used the special character ^ U during the input process (line deletion) and when the write operation fails, the code responsible for deleting the output characters "*" resets the data about the size of the available buffer, but does not return the pointer to the original value current position in the buffer.
Another contributing factor to the operation is the lack of automatic shutdown of the pwfeedback mode. when the data is received not from the terminal but through the input stream (this defect allows to create conditions for a recording error, for example, in systems with unnamed unidirectional channels, an error occurs when trying to record End of channel for read).
Given that the attacker can fully control the overwriting of data on the stack, it is not difficult to create an exploit that allows you to increase your privileges for the root user.
The problem can be exploited by any user, regardless of the rights to use sudo and the presence of user-specific settings in sudoers.
A user with sudo privileges can check if «pwfeedback»Is enabled by running:
sudo -l
Yes "pwfeedback»Appears in the output« Matching Default Value Entries », the configuration of sweats she looks affected. In the following example, the configuration of sweats is vulnerable:
sudo -l Matching Defaults entries for “USER” on linux-build: insults, pwfeedback, mail_badpass, mailerpath=/usr/sbin/sendmail
The USER user can run the following commands in linux-build:
(ALL: ALL) ALL
About the bug, it is explained that the error can be exploited without the need for sudo permissions, it only requires that pwfeedback is enabled. The error can be reproduced by passing a large input to sudo through a pipe when it asks for a password.
For example:
perl -e 'print(("A" x 100 . "\x{00}") x 50)' | sudo -S id Password: Segmentation faultThere are two flaws that contribute to this vulnerability:
-
The "pwfeedback" option is not ignored, as it should be, when reading from something other than a terminal device. Due to the lack of a terminal, the saved version of the line erase character remains at its initialized value of 0.
-
The code that clears the line of asterisks does not correctly reset the buffer position if there is a write error, but it does reset the remaining length of the buffer. As a result, the getln () function can write past the end of the buffer.
Finally, the problem is reported to be fixed in version sudo 1.8.31, published a few hours ago. Although in distributions, the vulnerability remains uncorrected so that users of affected distributions are asked or that they detect that the configuration of pwfeedback is in the file / Etc / sudoers, update to the new version of sudo.
It is mentioned that to block the problem, the most essential thing is that you have to verify that the configuration /pwfeedback not in / Etc / sudoers and if necessary, it has to be deactivated.
Source: https://www.openwall.com