Attention Linux Users!
A new vulnerability has been discovered in Sudo—one of the most important, powerful, and commonly used utilities that comes as a core command installed on almost every UNIX and Linux-based operating system.
The vulnerability in question is a sudo security policy bypass issue that could allow a malicious user or a program to execute arbitrary commands as root on a targeted Linux system even when the "sudoers configuration" explicitly disallows the root access.
Sudo, stands for "superuser do," is a system command that allows a user to run applications or commands with the privileges of a different user without switching environments—most often, for running commands as the root user.
By default on most Linux distributions, the ALL keyword in RunAs specification in /etc/sudoers file, as shown in the screenshot, allows all users in the admin or sudo groups to run any command as any valid user on the system.
So, in a specific scenario where you have been allowed to run a specific, or any, command as any other user except the root, the vulnerability could still allow you to bypass this security policy and take complete control over the system as root.
"This can be used by a user with sufficient sudo privileges to run commands as root even if the Runas specification explicitly disallows root access as long as the ALL keyword is listed first in the Runas specification," the Sudo developers say.
➡️ Case 3— Mohit Kumar (@unix_root) October 17, 2019
Instead of making a rule just for tom, dick, harry, or bob, when you block an entire group of low privileged users, restricting them from running commands as any other group (usually admin) that also contains the root.
%basic_users_group = (ALL, !%admin)
How to Exploit this Bug? Just Sudo User ID -1 or 4294967295
The vulnerability, tracked as CVE-2019-14287 and discovered by Joe Vennix of Apple Information Security, is more concerning because the sudo utility has been designed to let users use their own login password to execute commands as a different user without requiring their password.
What's more interesting is that this flaw can be exploited by an attacker to run commands as root just by specifying the user ID "-1" or "4294967295."
That's because the function which converts user id into its username incorrectly treats -1, or its unsigned equivalent 4294967295, as 0, which is always the user ID of root user.
"Additionally, because the user ID specified via the -u option does not exist in the password database, no PAM session modules will be run."The vulnerability affects all Sudo versions prior to the latest released version 1.8.28, which has been released today, a few hours ago and would soon be rolled out as an update by various Linux distributions to their users.
Since the attack works in a specific use case scenario of the sudoers configuration file, it should not affect a large number of users. However, if you use Linux, you are still highly recommended to update sudo package to the latest version as soon as it is available.