Buffer Overflow In Older Sudo Versions Could Be Used To Get Root On Elementary, Linux Mint

From LinuxReviews
Jump to navigationJump to search
Animals-ladybug.png

Malicious users could potentially use a buffer overflow in specific older sudo versions to gain root access if sudo is configured to provide visual feedback when passwords are entered. This is not the default on most GNU/Linux distributions and it is not the default upstream. Some distributions, such as Elementary and Linux Mint, do enable the optional pwfeedback feature to provide users with visual feedback when a password is entered. You may want to check if you are using an affected sudo version and make sure pwfeedback is disabled if you are.

written by 林慧 (Wai Lin). published 2020-02-01last edited 2020-02-02

Sudo-config-file-nano.jpg

Sudo versions 1.7.1 to 1.8.25p1 are vulnerable to a buffer overflow if the non-default pwfeedback option is enabled in /etc/sudoers. pwdfeedback makes sudo provide visual feedback when a password is entered. There is no feedback at all unless this option is enabled. No visual feedback is better from a security perspective but it is not very user friendly. The majority of GNU/Linux distributions do not ship with pwdfeedback enabled and it is not the default in the upstream sudo package. Some distributions, like Ubuntu and Linux Mint, do enable it in order to provide fancy *** feedback when a password is entered. Distributions who enable pwfeedback may be vulnerable to a buffer overflow vulnerability known as CVE-2019-18634.

Sudo versions 1.8.26 through 1.8.30 are not affected due to a totally unrelated change in EOF handling introduced in sudo 1.8.26. Current sudo versions are not affected.

There are two different problems with the pwfeedback implementation in the affected sudo versions which lead to disaster:

  • pwfeedback is not ignored when sudo is reading from sources other than a terminal and a line erase character with an initial value of 0 gets saved in the non-terminal case.
  • The code which removes the line of asterisks providing password feedback does not reset the buffer position properly if there is any kind of write error - but it does reset the remaining buffer length. The result is that getln() can write past the end of the intended buffer.

Do note that sudo privileges are not required. Any user on a system where pwfeedback is enabled can potentially exploit this.

There are no know examples of proof of concept code using this stack overflow vulnerability as of yet. That does not mean there won't be:

"If pwfeedback is enabled in sudoers, the stack overflow may allow unprivileged users to escalate to the root account. Because the attacker has complete control of the data used to overflow the buffer, there is a high likelihood of exploitability."

Don't Panic

You can run sudo -V ; sudo -l to see what sudo version you have and what options and rights are enabled. If that shows sudo versions 1.7.1 to 1.8.25p1 and it shows that pwfeedback is enabled then you're affected by this. The odds of those two things being true are slim.

Most distributions will have a newer version of sudo. The last affected version, 1.8.25p1, was released in August 2018. Some systems, like those running CentOS 7.7, do have an affected sudo version. However, pwfeedback is not the default in the upstream sudo package and it is not a default on CentOS or the vast majority of GNU/Linux distributions. Using a vulnerable sudo version is fine if the pwfeedback feature is disabled.

Elementary and Linux Mint do enable the pwfeedback option so you will want to either upgrade sudo to a safe version or set Defaults !pwfeedback in /etc/sudoers if you are using one of those distributions.

0.00
(0 votes)

Add your comment
LinuxReviews welcomes all comments. If you do not want to be anonymous, register or log in. It is free.