A vulnerability in the Linux sudo command has been discovered which allows unprivileged users to execute commands as root. Only good thing is that this vulnerability only works in non-standard configurations, hence most Linux servers are unaffected. Before we go through this vulnerability it is important to have some background information on how the sudo command works, and how it can be configured on quick terms. Sudo stands for superuser do. In this vulnerability, till the time unprivileged users have root user’s password, they can execute commands as root. While executing commands on a Linux operating system, unprivileged users can use the superuser do (sudo) command to execute commands as root as long as they have been given permission or until they what is a root user’s password.
Sudo commands also allow a user to run commands as another user by use of special directives. The addition of special directives is done to the /etc/sudoers configuration file. While launching the sudo command, users can use these UIDs (unique identification) instead of a username. For example, the command below will once again launch VIM(vi improved) as `bleeping-test` but this time by mentioning the user’s UID.
The detailed sudo vulnerability
In recent days, Joe Vennix, Apple Security researcher has discovered a bug that allows users to launch a permitted sudo command as a root by using either the -1 or 4294967295 UID in the sudo command. The command will utilize this bug to initiate the /usr/bin/id user as root. Mention that originally test user was denied to do so in the /etc/sudoers file. No doubt, this bug is quite powerful, but it is important to note that it can only work if a user was given access to a command via the sudoers configuration file. If this doesn’t work, and most Linux distributions do not do it by default, then this bug will not have any effect. A major vulnerability has been discovered in Sudo. Sudo stands out as one of the most powerful, highly important, and is considered as commonly used utilities. Sudo is widely recognized as a core command installed on almost every UNIX and Linux-based operating system. There is a security policy bypass issue in Sudo. This vulnerability in question could allow a malicious user. It also allows a program to execute arbitrary commands as root on a targeted Linux system even after the “sudoers configuration” explicitly disallows the root access. Sudo (superuser do) is a system command that allows a user to run commands or applications with the privileges of a different user without switching environments, most often, for running commands as the root user. The vulnerability is tracked as CVE-2019-14287. Vulnerability issue is more concerning because the sudo utility was initially designed to let users use their login password to execute commands. They can execute commands as a different user without requiring their password. These vulnerabilities affect all sudo versions prior to the latest released version. In simple words, it can be said that in Linux, Sudo bug allows users to run some restricted commands as root without prior permission. This threat was found working only on Linux systems that have a non-standard configuration.
What is Sudo?
Superuser do is abbreviated as Sudo. It’s a program that permits users to run programs with the security aspects of the second user, which is named as the superuser by default. This program is mainly for Unix like computer operating systems. System administration uses a special user account named as superuser. For those unaware, sudo enables a system administrator to permit certain users to run some or all commands as root while logging all arguments and commands. It is non-root restrictions. Building an attack To truly make this threat happen, a user would need to have a sudoer directive configured for a command that is able to launch other commands. In our above example, we have such a command, the VIM command!. As soon as VIM is launched as root, any commands that are executed from this, are also run as root. In VIM, a user can launch another program using the same command !. As an example, if using VIM, you can enter !ls to execute the ls command in your current folder. VIM can be launched as root if we utilize the sudo -u#-1 vim command to exploit this vulnerability. Confirmation can be done by executing the !whoami command. Root shell can execute any command you want on your compromised system or device. This bug is found to be of much use and is quite powerful. Even after being this powerful, it can only be used under non-standard configurations. They will not affect the vast majority of Linux users. All those who do utilize sudoers directives for their users, you should upgrade to sudo 1.8.28 or later versions as soon as possible. One more interesting thing is that this flaw can be accomplished by an attacker to run commands as root. This can then be done just by specifying the user ID “-1” or “4294967295.” This will work because the function which converts user id into its username treats -1 incorrectly, otherwise its unsigned equivalent (4294967295), as 0. 0 is always the user ID of the root user.