Sudo Bug lets non-private Linux and macOS users run commands as root

The protection of Apple Joe Vennix has also found another significant weakness in sudo which could allow poor privileged users, malicious programs or arbitrary functions on Linux / MacOS systems using administrative privileges. Sudo is one of the most popular, high-performance, and commonly-used programs to run arbitrary commands with macOS pre-installed commands.

Sudo Vulnerability (CVE-2019-18634)

The recently found CVE-2019-18634 privilege escalation vulnerability comes from a stack-based buffer overflow problem that is before 1.8.26 in the Sudo version.

According to Vennix, a bug can be exploited only when a "pwfeedback," a function that provides visual feedback, an asterisk(*), is enabled in a sudoers configuration file, when a user enters a terminal password. Note: in the upstream version of sudo or many other packages, the pwfeedback feature can not be disabled by default. Nevertheless, other Linux distributions, including Linux Mint and Elementary OS, will require this in their default sudoers.

Moreover, if pwfeedback is enabled, any user may exploit the vulnerability, even without the permission of sudo.The bug can be replicated when it prompts a password by passing a large input on a sudo, explained Sudo developer Todd C. Miller. "The risk of exploitation is high, as the attacker has a full control of the data used for overflowing the buffer."

Check If You're Affected and Apply Patches

You can run "sudo -l" command on a Linux or MacOS terminal to decide whether the "pwfeedback" option is available in the output of the "Correspondence Default Entries" option to test if your sudoers are being impacted. If allowed, you can disable the vulnerable portion by changing the sudoers configuration file "Defaults pwfeedback" to "Defaults! pwfeedback" to prevent the vulnerability of privilege escalation.

Susdo maintainers, who released sudo version 1.8.31 in a patch late last week, alerted Vennix responsibly to the weakness.  "While logical bug may also be present at 1.8.26 to 1.8.30, the EOF handling changes in sudo 1.8.26 do not allow use of it," said Miller. The macOS High Sierra 10.13.6, macOS Mojave 10.14.6 and macOs Catalina 10.15.2 were also updates to Apple last week.The same vulnerability in Sudo that an attacker might have exploited to execute commands as root last year was documented by Joe Vennix by only specifying the user ID ' -1' or "4294 96 7295.'

Previous Post Next Post