sudo

Sudo Is Not SUDO

Sudo, presumably all developers who have been exposed to or Unix operating systems know this application that can “do whatever they want”. System administrators can use Sudo to let ordinary users execute some or all of the root commands.

On January 26, the cloud security and compliance solutions company Qualys disclosed a serious vulnerability in Sudo (vulnerability number is CVE-2021-3156, Qualys named it Baron Samedit) : any local user, no need Password verification can get root privileges!

Hidden loopholes for ten years

Qualys security researchers pointed out that the vulnerability is a heap-based buffer overflow. The author of Sudo also briefly described the origin of this vulnerability in a report on January 26:

Normally, when running the sudo -s or sudo -i command in shell mode, Sudo will use a backslash to escape special characters in the command parameters.

However, when running sudoedit, you may also use -s or -i and set the flag to enable shell mode . Then, since the command is not actually run at this time, Sudo will not escape special characters. Ultimately, the code that decides whether to remove the escape character does not check whether the command is actually running, it just sets the shell flag. This can lead to an overflow of a heap-based buffer that can be exploited .

The Qualys research team discovered the vulnerability about two weeks ago, and it is amazing that the vulnerability has been hidden for nearly ten years without any discovery! It was introduced by the 8255ed69 commit in July 2011. Therefore , all versions released by Sudo in the past ten years have this vulnerability in the default configuration , including all old versions from 1.8.2 to 1.8.31p2 and 1.9.0 to All stable versions of 1.9.5p1.

In view of the fact that Sudo is installed in most and Unix systems , Qualys researchers used this vulnerability to test multiple Linux distributions , and finally successfully obtained complete root permissions , including Debian 10 (sudo 1.8.27), Ubuntu 20.04 (sudo 1.8.31) and Fedora 33 (sudo 1.9.2).

Therefore, Qualys believes that attackers are also likely to exploit the vulnerability in other operating systems and distributions supported by Sudo . So after confirming the vulnerability, Qualys promptly collaborated with the Sudo author and the open source distribution and announced the existence of the vulnerability on January 26.

Of course, not to disclose vulnerabilities allow an attacker to gain remote, Sudo at Qualys before been officially released fixes this vulnerability, and gives the solution: Sudo updated to version 1.9.5p2 or later version.

clip_image001

Three vulnerabilities discovered in two years

This is not the first time that Sudo has been found to have a vulnerability. This time, CVE-2021-3156 is the third security vulnerability that Sudo has been exposed to in the past two years.

October 2019 published number CVE-2019-14287, is known asĀ  -1 UID bug vulnerabilities, and published in February 2020 number CVE-2019-18634, is known as pwfeedback bug vulnerabilities, can make limited Of users run the root command , but fortunately, these two vulnerabilities are difficult to exploit because they require complex and non-standard Sudo settings.

The vulnerability exposed this time has been hidden for a long time and is easy to exploit. Compared with the first two vulnerabilities, it is the most dangerous.

Some foreign developers expressed surprise at the successful dormancy of this vulnerability for ten years, so they tried to use fuzzing test on Sudo to find the vulnerability. Finally, it was found that 2 hours of CPU time can find serious security holes in the setuid (Sudo is setuid binary) utility. Therefore, the developer suggested that fuzzing can be quickly used to discover serious vulnerabilities hidden in widely used utilities .

Unlikely to be widely used

Fortunately, being easy to exploit does not mean that this vulnerability can be widely exploited. David A. Wheeler from The Foundation said: ” This vulnerability cannot be exploited remotely . Attackers can only exploit this vulnerability on a vulnerable computer.”

Jerry Gamblin, head of security research at Kenna Security, also agreed: ” The exploitation of this vulnerability requires a certain level of access rights in advance, so it is unlikely to be widely used. ” That is, although the vulnerability is dangerous, it is widely attacked. The possibility is very small.

Having said that, for malicious insiders or attackers who already have initial access to the environment, the existence of this vulnerability is still a big hidden danger. The attack vector of botnets cannot be ignored. The previous incident of FreakOut malware attacking Linux devices is a warning.

A week ago, according to researchers from the security company Check Point So ftware, a new type of malware, FreakOut , exploited a recently disclosed vulnerability in a network attached storage (NAS) device running on a Linux system to add a computer to the IRC Botnet to launch distributed denial of service (DDoS), attack and mine Monero cryptocurrency.

Therefore, Qualys also stated that if the botnet operator brute-forces the low-level service account, the vulnerability may be abused in the second stage of the attack, and the intruder will easily obtain root permissions and fully control the compromised server.

Nothing but version updates

So what should you do now?

First, use the following command to check whether your version of Sudo is vulnerable;

sudoedit -s ‘\’ `perl -e ‘print “A” x 65536’`

If you receive a usage error message or message, then congratulations, your Sudo version will not be attacked; if the result is Segmentation Fault, unfortunately, there is the vulnerability of your Sudo.

Then, you can only upgrade to Sudo version 1.9.5p2 or higher. After all, Sudo himself said: In addition to the updated version, the other solution is ” None “ .

The download address of Sudo 1.9.5p2 is: https://www.sudo.ws/stable.html, please update as soon as possible!