Buffer Overflow In Older Sudo Versions Could Be Used To Get Root On Elementary, Linux Mint
Malicious users could potentially use a buffer overflow in specific older sudo versions to gain root access if sudo is configured to provide visual feedback when passwords are entered. This is not the default on most GNU/Linux distributions and it is not the default upstream. Some distributions, such as Elementary and Linux Mint, do enable the optional pwfeedback feature to provide users with visual feedback when a password is entered. You may want to check if you are using an affected sudo version and make sure pwfeedback is disabled if you are.
written by 林慧 (Wai Lin). published 2020-02-01 - last edited 2020-02-02
Sudo versions 1.7.1 to 1.8.25p1 are vulnerable to a buffer overflow if the non-default
pwfeedback option is enabled in
/etc/sudoers. pwdfeedback makes
sudo provide visual feedback when a password is entered. There is no feedback at all unless this option is enabled. No visual feedback is better from a security perspective but it is not very user friendly. The majority of GNU/Linux distributions do not ship with pwdfeedback enabled and it is not the default in the upstream
sudo package. Some distributions, like Ubuntu and Linux Mint, do enable it in order to provide fancy
*** feedback when a password is entered. Distributions who enable
pwfeedback may be vulnerable to a buffer overflow vulnerability known as CVE-2019-18634.
Sudo versions 1.8.26 through 1.8.30 are not affected due to a totally unrelated change in EOF handling introduced in sudo 1.8.26. Current
sudo versions are not affected.
There are two different problems with the pwfeedback implementation in the affected sudo versions which lead to disaster:
pwfeedbackis not ignored when sudo is reading from sources other than a terminal and a line erase character with an initial value of 0 gets saved in the non-terminal case.
- The code which removes the line of asterisks providing password feedback does not reset the buffer position properly if there is any kind of write error - but it does reset the remaining buffer length. The result is that
getln()can write past the end of the intended buffer.
Do note that sudo privileges are not required. Any user on a system where
pwfeedback is enabled can potentially exploit this.
There are no know examples of proof of concept code using this stack overflow vulnerability as of yet. That does not mean there won't be:
"If pwfeedback is enabled in sudoers, the stack overflow may allow unprivileged users to escalate to the root account. Because the attacker has complete control of the data used to overflow the buffer, there is a high likelihood of exploitability."
You can run
sudo -V ; sudo -l to see what sudo version you have and what options and rights are enabled. If that shows sudo versions 1.7.1 to 1.8.25p1 and it shows that
pwfeedback is enabled then you're affected by this. The odds of those two things being true are slim.
Most distributions will have a newer version of sudo. The last affected version, 1.8.25p1, was released in August 2018. Some systems, like those running CentOS 7.7, do have an affected sudo version. However,
pwfeedback is not the default in the upstream
sudo package and it is not a default on CentOS or the vast majority of GNU/Linux distributions. Using a vulnerable sudo version is fine if the
pwfeedback feature is disabled.
Elementary and Linux Mint do enable the
pwfeedback option so you will want to either upgrade sudo to a safe version or set
Defaults !pwfeedback in
/etc/sudoers if you are using one of those distributions.