Linux SUDO Flaw Lets Local Users Gain Root Privileges

SUDO is a Unix application that enables the system administrators to yield limited root rights to regular users who admitted in the sudoers file, while at the same time gripping a log of their all actions.

Recently, a now-fixed Sudo vulnerability has been released that allows any local user to gain access to the root privileges on Unix-like operating systems without needing any kind of authentication.

It acts on the principle of most limited privilege, where the program provides enough permission to the people so that they can get their jobs done without negotiating the overall protection of the system.

CVE ID: CVE-2021-3156

Sudo before 1.9.5p2 has a Heap-based Buffer Overflow, enabling all kinds of privilege escalation to root via “sudoedit with -s or -i flags” and provide a command-line argument that concludes with a single backslash character.

Root Privileges For Any Local User

This vulnerability was revealed by the security researchers from Qualys, who revealed it on January 13th and made sure that all the patches are possible before going public with their conclusions.

However, Sudo before 1.9.5p2 has the heap-based buffer overflow, and it can be exploited by any local user, and here the attackers not being compelled to know the user’s password to exploit the flaw successfully.

That’s why Qualys has produced three CVE-2021-3156 exploits to showcase how potential threat actors can successfully exploit this vulnerability. And using all these exploits the security researchers were able to get full root privileges on various Linux distributions.

All these distributions include Debian 10 (Sudo 1.8.27), Ubuntu 20.04 (Sudo 1.8.31), and Fedora 33 (Sudo 1.9.2). Moreover, there are other operating systems and distributions that are recommended by Sudo that are apparently also exploitable using CVE-2021-3156 exploits.

Before the disclosure, Baron Samedit fixed

The vulnerability was initially introduced in the Sudo program nearly 9 years ago, in July 2011, with commit 8255ed69, and it hits the default configurations of all steady versions from 1.9.0 to 1.9.5p1 and all the legacy versions from 1.8.2 to 1.8.31p2.

However, the experts have affirmed that if any user wants to test if their system is vulnerable, they can do so as a non-root user and run the “sudoedit -s /” command. Vulnerable systems will deliver an error beginning with “sudoedit:” on the other side, the patched ones will demonstrate an error starting with “usage:”

Not only this, but in 2019, another Sudo vulnerability was traced as CVE-2019-14287, and it enabled unauthorized users to run commands as root. Luckily, that flaw could only be utilized in non-standard configurations, which implies that most systems with unsafe Sudo versions were left untouched.

Leave a Reply