A doozy of a bug that could allow any local user on most Linux or Unix systems to gain root access has been uncovered — and it had been sitting there for a decade, researchers said.
The bug was found in Sudo, a utility built into most Unix and Linux operating systems that lets a user without security privileges access and run a program with the credentials of another user. Qualys researchers named the vulnerability “Baron Samedit,” tracked as CVE-2021-3156. They said the bug popped into the Sudo code back in July 2011.
“Qualys security researchers have been able to independently verify the vulnerability and develop multiple variants of exploit, and obtain full root privileges on Ubuntu 20.04 (Sudo 1.8.31), Debian 10 (Sudo 1.8.27), and Fedora 33 (Sudo 1.9.2),” the report said. “Other operating systems and distributions are also likely to be exploitable.”
The authors of Sudo have released a patched update, Sudo version 1.9.5p2.
“Not all Unix-like systems use the same implementation of Sudo, but this vulnerability is in the implementation distributed from https://www.sudo.ws/sudo.html (the Sudo main page) and is a widely used implementation,” David A. Wheeler from the Linux Foundation told Threatpost.
But the news on the Sudo bug isn’t all terrible.
Locals Only: The Good News on the Sudo Bug
“One piece of good news: This is not remotely exploitable [without authentication],” Wheeler added. “An attacker must already be able to run programs on the vulnerable computer before this vulnerability can be used.”
Jerry Gamblin, director of security research at Kenna Security, agreed with Wheeler that while the bug is a dangerous vulnerability, the possibility for rampant attacks is low.
“It is important to level-set that to exploit this vulnerability, a bad actor would need remote (SSH) or direct access to a vulnerable Linux machine,” Gamblin told Threatpost. “While it is a vulnerability that should be patched quickly, it does require a certain level of preexisting access, which makes widespread exploitation unlikely.”
That said, malicious insiders or attackers who have achieved initial-stage access to a Linux environment are still perfectly capable of exploiting the issue. Linux botnets are also an attack vector. The recently discovered FreakOut malware, for instance, targets Linux devices with specific products that have not been patched against various flaws. It adds compromised devices to a botnet that can then be used for multiple purposes, such as pushing additional malware or carrying out denial-of-service attacks. It also has brute-force abilities using hard-coded credentials to infect other network devices.
“I expect this CVE to have a CVSS score that falls in the range of 6 to 8. It is a local attack that requires low complexity and affects integrity and confidentiality,” Gamblin said. “The risk for this vulnerability would be significantly higher if you offer terminal access to low privileged users, such as in an educational environment or an environment in which access is given to employees to run or monitor individual tasks.”
Sudo, a Double-Bug Perfect Storm
Here’s how the vuln works: Specifically, the bug is a heap-based buffer overflow in Sudo, which lets any local user trick it into running in “shell” mode.
Sudo authors explained in a Tuesday advisory that when Sudo is running in shell mode, “it escapes special characters in the command’s arguments with a backslash.” Then, a policy plug-in removes any escape characters before deciding on the Sudo user’s permissions.
But it’s not just a single bug which exposed these systems, it’s actually the combination of two bugs working in tandem in Sudo that makes the exploitation possible, the authors explained.
“A bug in the code that removes the escape characters will read beyond the last character of a string if it ends with an unescaped backslash character,” the Sudo authors explained. “Under normal circumstances, this bug would be harmless since Sudo has escaped all the backslashes in the command’s arguments.”
But another vuln, to which the CVE is assigned, was lurking in Sudo that made exploitation a threat.
“However, due to a different bug, this time in the command-line parsing code, it is possible to run “sudoedit” with either the -s or -i options, setting a flag that indicates shell mode is enabled,” according to the alert. “Because a command is not actually being run, Sudo does not escape special characters. Finally, the code that decides whether to remove the escape characters did not check whether a command is actually being run, just that the shell flag is set. This inconsistency is what makes the bug exploitable.”
Linux/Unix Buffer Overflow
Technically speaking, the vulnerable code overflows the heap-based buffer “user_args” which gives attackers control over the size and contents of the overflow and allows them to change bytes in the overflow, according to Qualys.
“For example, on an amd64 Linux, the following command allocates a 24-byte “user_args” buffer (a 32-byte heap chunk) and overwrites the next chunk’s size field with “A=a\0B=b\0” (0x00623d4200613d41), its fd field with “C=c\0D=d\0” (0x00643d4400633d43), and its bk field with “E=e\0F=f\0″ (0x00663d4600653d45):” the report said.
Qualys researchers published a proof-of-concept (PoC) video:
Wheeler added that anyone running the system should implement the patched update as soon as possible.
“Another piece of good news is that this is easily fixed and updated; fixing this shouldn’t change how it works in the normal case,” Wheeler added. “So you should immediately update to the fixed version.”
Download our exclusive FREE Threatpost Insider eBook Healthcare Security Woes Balloon in a Covid-Era World, sponsored by ZeroNorth, to learn more about what these security risks mean for hospitals at the day-to-day level and how healthcare security teams can implement best practices to protect providers and patients. Get the whole story and DOWNLOAD the eBook now – on us!