Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Security Unix

Serious Flaw That Lurked In Sudo For 9 Years Hands Over Root Privileges (arstechnica.com) 96

An anonymous reader quotes a report from Ars Technica: Sudo, a utility found in dozens of Unix-like operating systems, has received a patch for a potentially serious bug that allows unprivileged users to easily obtain unfettered root privileges on vulnerable systems. The vulnerability, tracked as CVE-2019-18634, is the result of a stack-based buffer-overflow bug found in versions 1.7.1 through 1.8.25p1. It can be triggered only when either an administrator or a downstream OS, such as Linux Mint and Elementary OS, has enabled an option known as pwfeedback. With pwfeedback turned on, the vulnerability can be exploited even by users who aren't listed in sudoers, a file that contains rules that users must follow when using the sudo command.

"Exploiting the bug does not require sudo permissions, merely that pwfeedback be enabled," an advisory published by sudo developers said. "The bug can be reproduced by passing a large input to sudo via a pipe when it prompts for a password." The advisory lists two flaws that lead to the vulnerability. The first: pwfeedback isn't ignored as it should be when reading from something other than a terminal. As a result, the saved version of a line erase character remains at its initialized value of 0. The second contributor is that the code that erases the line of asterisks doesn't properly reset the buffer position if there is an error writing data. Instead, the code resets only the remaining buffer length. As a result, input can write past the end of the buffers. Systems with unidirectional pipe allow an attempt to write to the read end of the pipe to result in a write error. Because the remaining buffer length isn't reset correctly when write errors result from line erasures, the stack buffer can be overflowed.
The report notes the vulnerability was introduced in 2009 and remained active until 2018, with the release of 1.8.26b1. "Systems or software using a vulnerable version should move to version 1.8.31 as soon as practical," reports Ars. "Those who can't update right away can prevent exploits by making sure pwfeedback is disabled."
This discussion has been archived. No new comments can be posted.

Serious Flaw That Lurked In Sudo For 9 Years Hands Over Root Privileges

Comments Filter:
  • the needful?

    The systems I use are all set to allow logins with a valid big key.

    Current version on my laptop is 1.8.21p2

    Pretty sure there will be an eventual update...

  • by CaptainDork ( 3678879 ) on Tuesday February 04, 2020 @07:47PM (#59691634)

    ... I guess it's sudo science.

  • by jmccue ( 834797 ) on Tuesday February 04, 2020 @09:48PM (#59691890) Homepage

    Still a bad bug, but something to be said about Slackware's method of keeping the defaults from upstream. Slackware was not vulnerable by default, see: ftp.osuosl.org [osuosl.org]

    pwfeedback is a default setting in some Linux distributions; however, it is not the default for upstream or in Slackware, and would exist only if enabled by an administrator.

    • I checked my Xubuntu 18.04.3 install and it seems not to be default either (or I'm suffering from amnesia and I fixed this last year or something...heh) :)

    • pwfeedback is off by default in any stock sudo/sudoers installation.

      It's good that they fixed this bug, but I've never seen this flag enabled in practice.

      • by green1 ( 322787 ) on Wednesday February 05, 2020 @10:15AM (#59693052)

        This is something that bugs me constantly in many of these alarm-bell articles. They talk about a security flaw as if the world is ending, and the comments fill up with people lamenting how horrible security has become. But they could have pointed out right at the top that this is off by default in everything, and therefore not really an issue except for corner cases where someone has manually turned it on. This is far from the only instance of this, and it only comes out deep in the comment section that there's really no need to worry.

        But I guess that's less sensational, so gets fewer clicks.

        • by tlhIngan ( 30335 )

          This is something that bugs me constantly in many of these alarm-bell articles. They talk about a security flaw as if the world is ending, and the comments fill up with people lamenting how horrible security has become. But they could have pointed out right at the top that this is off by default in everything, and therefore not really an issue except for corner cases where someone has manually turned it on. This is far from the only instance of this, and it only comes out deep in the comment section that th

  • Sudo has root privileges it obviously has to but the utility part of it that is pwfeedback should not have. It shouldn't matter how buggy pwfeedback is. It shouldn't be able to execute or manipulate anything that requires root. Yes, that would make it harder to write pwfeedback but basically things should always run at the lowest privilege possible.
  • by erc ( 38443 ) <erc@@@pobox...com> on Wednesday February 05, 2020 @04:25AM (#59692378) Homepage
    This is what happens when you take a simple utility and pile on a bunch of "security" crap. Sudo was originally intended to do one thing, and do it well. Small, fast, and simple.
  • Okay. And I do that how, exactly?

    • By clicking on the link two words after the section you quoted and then reading the fourth paragraph.

"Facts are stupid things." -- President Ronald Reagan (a blooper from his speeach at the '88 GOP convention)

Working...