A vulnerability to bypass the security policy in Linux-based distributions has recently been discovered. It concerns a system command “Sudo” – the abbreviation of “superuser do” – commonly used on UNIX / Linux distributions that allows a user to perform tasks with the privileges of a different user without switching sessions. This critical flaw was discovered by Joe Vennix of Apple Information Security.

By default on most Linux distributions, the ALL keyword in the RunAs specification in the /etc /sudoers file allows users of the admin or sudo groups to execute any command on the system. However, because privilege separation is one of the fundamental security paradigms on Linux, administrators can configure a sudoers file to define exactly who is allowed to do what (execute a particular command, for example).

The new vulnerability is codenamed CVE-2019-14287. It gives a user or malicious program with sufficient privileges the ability to perform actions or execute arbitrary code as root (or superuser) on a target system, when the “sudoers configuration” does not allow this access. This vulnerability can be exploited by an attacker by specifying ID “-1” or “429496967295” because the function responsible for converting the ID to user name treats these two values ​​precisely as “0” which corresponds to the ID of the “superuser”.

The new vulnerability is codenamed CVE-2019-14287. It gives a user or malicious program with sufficient privileges the ability to perform actions or execute arbitrary code as root (or superuser) on a target system, when the “sudoers configuration” does not allow this access. This vulnerability can be exploited by an attacker by specifying ID “-1” or “429496967295” because the function responsible for converting the ID to user name treats these two values ​​precisely as “0” which corresponds to the ID of the “superuser”.

Suppose you have configured the Pat user as a sudoer on the mybox server to execute a command like any user except root: “pat mybox = (ALL,! Root) / usr / bin / command” . You can trust Pat to monitor other users’ files and activities, but they do not have access to super-users. This should allow Pat to execute a command like anyone other than root. However, if Pat runs “sudo -u # -1 id -u” or “-u # 429496967295 id -u”, he can bypass the restriction and run the command of his choice as root for pat. In addition, since the ID specified via the -u option does not exist in the password database, no PAM session module will be executed.

This vulnerability only affects sudo configurations that have a list of Runas users including root exclusion. The “root” can also be identified by other means: by its name ID with “user ALL = (ALL,! # 0) /usr /bin / command”, or by reference to a Runas alias.

Thus, in a specific scenario where you have been allowed to execute a particular command or command, like any other user except root, the vulnerability may still allow you to bypass this security policy and take the Full control of the system as root.

The vulnerability affects all versions of Sudo prior to the latest version 1.8.28 that was recently released and will soon be deployed as an update by the various Linux distributions. Since the attack works in a specific use case of the sudoers configuration file, it should not affect a large number of users. However, if you use Linux, it is always strongly recommended that you update the sudo package to the latest version as soon as it is available.

Source : CVE-2019-14287