Apple researcher discovered an important vulnerability (CVE-2019-18634) in ‘ sudo’ utility that allows non-privileged Li nux and m acOS users to run commands as Root.

Security expert Joe Vennix from Apple has discovered an important vulnerability in ‘ sudo ‘ utility, tracked as CVE-2019-18634, that allows non-privileged Linux and macOS users to run commands as Root.

The issue could be exploited only under a specific configuration

Sudo is one of the most important, powerful, and commonly used utilities that comes as a core command pre-installed on macOS and almost every UNIX or Linux-based operating system.

sudo is a program for Unix-like computer operating systems that allows users to run programs with the security privileges of another user, by default the superuser. It originally stood for “superuser do” as the older versions of sudo were designed to run commands only as the superuser.

A stack-based buffer overflow issue that resides in Sudo versions before 1.8.26 it the root cause of the privilege escalation vulnerability.

The vulnerability could be exploited only when the “ pwfeedback ” option is enabled in the sudoers configuration file. The Sudo’s pwfeedback option allows providing visual feedback when the user is inputting their password.

“In Sudo before 1.8.26, if pwfeedback is enabled in /etc/sudoers, users can trigger a stack-based buffer overflow in the privileged sudo process. (pwfeedback is a default setting in L inux Mint and elementary OS; however, it is NOT the default for upstream and many other p ackages, and would exist only if enabled by an administrator.)” reads the description p ublished by the NIST. “The attacker needs to deliver a long string to the stdin of getln() in tgetpass.c.”

The expert p ointed out that this vulnerability can be triggered even by users not listed in the sudoers file.

“Exploiting the bug does not require sudo permissions, merely that pwfeedback be enabled.” wrote Sudo developer Todd C. Miller.

“The bug can be reproduced by passing a large input to sudo via a pipe when it prompts for a password. For example:

$ perl -e 'print(("A" x 100 . "\x{00}") x 50)' | sudo -S id Password: Segmentation fault

There are two flaws that contribute to this vulnerability:

The pwfeedback option is not ignored, as it should be, when reading from something other than a terminal device. Due to the lack of a terminal, the saved version of the line erase character remains at its initialized value of 0.

The code that erases the line of asterisks does not properly reset the buffer position if there is a write error, but it does reset the remaining buffer length. As a result, the getln() function can write past the end of the buffer.”

Users can determine if they are affected by the flaw by running “sudo -l” command on their L inux or macOS terminal, it this way it is p ossible to check if the “pwfeedback” option is enabled and listed in the “Matching Defaults entries” output.

In case the option is enabled, it is possible to disable it by changing “Defaults pwfeedback ” to “Defaults ! pwfeedback ” in the sudoers configuration file.

Sudo Maintainers addressed the flaw with the release of sudo version 1.8.31.

“While the logic bug is also present in sudo versions 1.8.26 through 1.8.30 it is not exploitable due to a change in EOF handling introduced in sudo 1.8.26,” Miller explained.

In October 2019, Vennix discovered a security policy bypass issue in the Sudo utility that could be exploited by an ill-intentioned user or a malicious program to execute arbitrary commands as root on a targeted Linux system, even if the “ sudoers configuration” disallows the root access.

Pierluigi Paganini