Security Blogs

Uncategorized

The SUDO Security Bypass Bug

In the cyber world, vulnerabilities within a service or product are being disclosed on a daily basis. The product developers are striving day by day to strengthen the security of their services and products so as to protect the consumers and users from being the potential targets of the exploiters of the cyber world.

Recently, in the month of October 2019, a critical bug was discovered in the “sudo” binary of the Linux operating system, that allowed unprivileged users to execute commands with root privileges.

What is a UID?

UID (or User ID) is a whole number, ranging from 0 to 10000 that denotes the privileges or the permissions assigned to a specific user. The UID 0 is always root, or the Super User.

What is sudo?

sudo (or Super User DO) is a special binary in the Linux operating system, that is owned by root, and carries some special permissions granted to it called a setuid. Any user who executes a binary with setuid permissions automatically inherits the permissions of the binary’s owner.

For example, let’s assume a user ‘bob’ executing a root-owned setuid binary which results in ‘bob’ having the permissions of root, instead of the privileges of ‘bob’ himself.

CVE-ID: 2019-14287

Exploit-DB ID: 47502

Exploit Category: Security Bypass

Affected Service: sudo binary

Affected Version: all versions prior to 1.8.28

Affected Operating System: Linux

Technical Details:

The exploitation of the bug comes as a result in the sudoers file that goes like:

bob ALL=(ALL,!root) /bin/bash

The above entry in the sudoers file specifies that the user ‘bob’ is allowed to execute /bin/bash as every other user, except root.

If ‘bob’ executes /bin/bash as any user, except root, using sudo he’ll inherit the permissions and privileges of that user, because sudo is a setuid binary, as discussed earlier.

The exploitation of this entry is made possible when ‘bob’ uses sudo with a UID of -1 or 4294967295.

sudo -u#-1 /bin/bash or sudo -u#4294967295 /bin/bash

The issue with sudo was that neither sudo nor the underlying system call is checking whether the UID given is within the acceptable range (0-10000) or not.

There are two aspects of this vulnerability:

  • When a UID of -1 is provided:

The binary interprets this as a request for no change in the user id, but since sudo is already executing with root privileges, it gives the user root access upon execution.

  • When a UID of 4294967295 is provided:

This large number causes the buffer for the sudo binary to be overflowed, since the defined range has its maximum limit for 10000; the buffer overflows and sudo processes the given integer as a request for no change in the user id, but since sudo executes with root permissions, after execution the system call gives root access.

Conclusion:

In the versions succeeding sudo version 1.8.27, this bug has been fixed where the sudo binary is allowed to check for both signed and unsigned integers and also an input validation has been applied.

Leave a Reply

Your email address will not be published. Required fields are marked *