Linux exposes Sudo privilege escalation vulnerability, any user can also run root commands

As one of the most commonly used and important utilities in Linux, Sudo is installed on almost every UNIX and Linux distribution to allow users to invoke and implement core commands. However, a privilege escalation vulnerability recently exposed directly points to a security policy risk of sudo - even if the configuration explicitly does not allow root user access, the vulnerability can still allow malicious users or programs to execute arbitrary commands as the root user on the target Linux system.

(Title image via Hacker News)

It is reported that Sudo refers specifically to "super user". As a system command, it allows users to run programs or commands with special permissions without switching to another environment (usually running commands as the root user).

By default on most Linux distributions (as shown in the screenshot), the ALL keyword in the RunAs specification file of /etc/sudoers allows all users in the admin or sudo group to run any command as any valid user on the system.

However, because privilege separation is one of the most fundamental security paradigms in Linux, administrators can configure the sudoers file to define which users can run which commands.

As such, Baseline restricts users from running specific or any commands as root, and this vulnerability could allow users to bypass this security policy and take full control of the system.

"As long as the Runas specification explicitly disallows root access and lists the ALL keyword first, a user with sufficient sudo privileges can use it to run commands as root," the Sudo developers said.

It is reported that the vulnerability was tracked and discovered by Joe Vennix from Apple's Information Security Department (CVE-2019-14287). To exploit this bug, all you need is Sudo User ID -1 or 4294967295.

This is because the function that converts a user ID to a username mistakes -1 (or the invalid equivalent 4294967295) for 0, which happens to be the root user ID.

Additionally, because the User ID specified with the -u option does not exist in the password database, no PAM session modules are run.

In summary, this vulnerability affects all Sudo versions before the latest version 1.8.28. Fortunately, major Linux distributions have already pushed new versions to users a few hours ago.

Well, this article ends. Thank you for your support of 123WORDPRESS.COM!