In the cyber world, vulnerabilities within a service or product are being disclosed on a daily basis. The product developers are striving day by day to strengthen the security of their services and products so as to protect the consumers and users from being the potential targets of the exploiters of the cyber world.
Recently, in the month of October 2019, a critical bug was discovered in the “sudo” binary of the Linux operating system, that allowed unprivileged users to execute commands with root privileges.
What is a UID?
UID (or User ID) is a whole number, ranging from 0 to 10000 that denotes the privileges or the permissions assigned to a specific user. The UID 0 is always root, or the Super User.
What is sudo?
sudo (or Super User DO) is a special binary in the Linux operating system, that is owned by root, and carries some special permissions granted to it called a setuid. Any user who executes a binary with setuid permissions automatically inherits the permissions of the binary’s owner.
For example, let’s assume a user ‘bob’ executing a root-owned setuid binary which results in ‘bob’ having the permissions of root, instead of the privileges of ‘bob’ himself.
Exploit-DB ID: 47502
Exploit Category: Security Bypass
Affected Service: sudo binary
Affected Version: all versions prior to 1.8.28
Affected Operating System: Linux
The exploitation of the bug comes as a result in the sudoers file that goes like:
bob ALL=(ALL,!root) /bin/bash
The above entry in the sudoers file specifies that the user ‘bob’ is allowed to execute /bin/bash as every other user, except root.
If ‘bob’ executes /bin/bash as any user, except root, using sudo he’ll inherit the permissions and privileges of that user, because sudo is a setuid binary, as discussed earlier.
The exploitation of this entry is made possible when ‘bob’ uses sudo with a UID of -1 or 4294967295.
sudo -u#-1 /bin/bash or sudo -u#4294967295 /bin/bash
The issue with sudo was that neither sudo nor the underlying system call is checking whether the UID given is within the acceptable range (0-10000) or not.
There are two aspects of this vulnerability:
- When a UID of -1 is provided:
The binary interprets this as a request for no change in the user id, but since sudo is already executing with root privileges, it gives the user root access upon execution.
- When a UID of 4294967295 is provided:
This large number causes the buffer for the sudo binary to be overflowed, since the defined range has its maximum limit for 10000; the buffer overflows and sudo processes the given integer as a request for no change in the user id, but since sudo executes with root permissions, after execution the system call gives root access.
In the versions succeeding sudo version 1.8.27, this bug has been fixed where the sudo binary is allowed to check for both signed and unsigned integers and also an input validation has been applied.