Linux / Security

Serious Sudo Trouble for Linux Distros

27 Jan 2021 4:54pm, by

We all know the jokes. Linux admin: “Make me a sandwich!” Minion: “No!” Linux admin: “sudo Make me a sandwich!” Minion: “Okay.” But, it’s no joke when an ancient sudo security hole is uncovered.

For those uninitiated in the ways of the Unix command line, sudo is a preface that grants regular users administrative powers for whatever command they wish to execute. It’s a handy tool for avoiding use of the root account, always a dangerous proposition.

Many so-called Linux vulnerabilities, turn out, upon closer examination to be nothing much. But, then, then there’s ones like sudo’s CVE-2021-3156, aka “Baron Samedit.”

With this one, if you’re lazy about keeping your computers up to date, you’re in trouble. This sudo heap-based buffer overflow can be exploited by any local user. Worse still, any Joe or Jane user can leverage it to elevate privileges to root, even if they’re not listed in the sudoers file.

As the sudo programmers explained: Usually, when you run a sudo command in shell mode, you escape any special characters in the command’s arguments with a backslash. The sudoers policy plugin then removes the escape characters from the arguments before evaluating the sudoers policy. But, that same code will read beyond the last character of a string if it ends with an unescaped backslash character.

Usually, that doesn’t matter. But, thanks to another bug, this time in the shell parsing code, an attacker can run sudoedit with either the -s or -i options. Why is that bad? Because it enables the shell mode and since there’s no command actually running, sudo does not escape special characters. Last, but not least,  the code that decides whether to remove the escape characters doesn’t check whether a command is actually being run.

So, what happens is when the command line reaches sudoers_policy_main() program, set_cmnd() concatenates the command-line arguments into a heap-based buffer. Without any idea how long the command is, set_cmnd() is vulnerable to a heap-based buffer overflow using out-of-bounds characters in the “user_args” buffer.

The theory may sound complex, but in practice, it’s trivial to exploit. To start screwing around, all you need to do is enter the command “sudoedit -s” with any command-line argument ending with a single backslash character.

Yes, there have been other recent sudo security problems, but they’re small potatoes compared to this one. For those to smack you, you had to have an unusual sudosetup. This one will work on every Linux system with sudo installed out there. As security company Qualys Research Team‘s Animesh Jain, vulnerability signatures product manager wrote, “Qualys recommends users apply patches for this vulnerability immediately.” She’s right.

Patch your Linux system’s sudo command now. You want to upgrade to sudo version 1.9.5p2 or higher as soon as possible.

Don’t think it can happen to you? Please! There are many botnets targeting Linux systems these days using brute-force methods and this vulnerability is perfect for automated exploitation.

What are you waiting for? Do it. Do it now. Patches are already available on all major Linux distributions.

Feature image by Max Bender on Unsplash.

A newsletter digest of the week’s most important stories & analyses.