#[1]alternate

  IFRAME: [2]https://www.googletagmanager.com/ns.html?id=GTM-NLXNPCQ

[3]Ars Technica

  [4]←
  [5]→
  0
  ____________________

    * [6]Biz & IT
    * [7]Tech
    * [8]Science
    * [9]Policy
    * [10]Cars
    * [11]Gaming & Culture
    * [12]Forums
    * [13]Newsletter
    * [14]Subscribe
    * [15]Store

[16]View Full Site

    * [17]Dark on light
    * [18]Light on dark

[19]Log in

[20]Register

  [21]Forgot your password?
  [22]Resend activation e-mail

[23]Biz & IT / Information Technology

Serious flaw that lurked in sudo for 9 years hands over root privileges

Flaw affecting selected sudo versions is easy for unprivileged users to
exploit.

  by [24]Dan Goodin - Feb 4, 2020 9:07 pm UTC
  [25]Login to bookmark [26]75

  [sudo-800x517.jpg]
  [27]Enlarge
  [28]xkcd

  Sudo, a utility found in dozens of Unix-like operating systems, has
  received a patch for a potentially serious bug that allows unprivileged
  users to easily obtain unfettered root privileges on vulnerable
  systems.

  The vulnerability, tracked as CVE-2019-18634, is the result of a
  stack-based [29]buffer-overflow bug found in [30]versions 1.7.1 through
  1.8.25p1. It can be triggered only when either an administrator or a
  downstream OS, such as Linux Mint and Elementary OS, has enabled an
  option known as pwfeedback. With pwfeedback turned on, the
  vulnerability can be exploited even by users who aren't listed in
  sudoers, a file that contains rules that users must follow when using
  the sudo command.

  Sudo is a powerful utility that’s included in most if not all Unix- and
  Linux-based OSes. It lets administrators allow specific individuals or
  groups to run commands or applications with higher-than-usual system
  privileges. Both Apple’s [31]macOS and [32]Debian distributions of
  Linux received updates last week. People using other OSes should check
  their configurations and version numbers to ensure they’re not
  vulnerable.

No sudo permissions required

  “Exploiting the bug does not require sudo permissions, merely that
  pwfeedback be enabled,” an [33]advisory published by sudo developers
  said. “The bug can be reproduced by passing a large input to sudo via a
  pipe when it prompts for a password. An example of exploit code is:
   $ perl -e 'print(("A" x 100 . "\x{00}") x 50)' | sudo -S id
   Password: Segmentation fault

  The advisory lists two flaws that lead to the vulnerability. The first:
  pwfeedback isn’t ignored as it should be when reading from something
  other than a terminal. As a result, the saved version of a line erase
  character remains at its initialized value of 0. The second contributor
  is that the code that erases the line of asterisks doesn’t properly
  reset the buffer position if there is an error writing data. Instead,
  the code resets only the remaining buffer length.

  As a result, input can write past the end of the buffers. Systems with
  unidirectional pipe allow an attempt to write to the read end of the
  pipe to result in a write error. Because the remaining buffer length
  isn’t reset correctly when write errors result from line erasures, the
  stack buffer can be overflowed.

  “If pwfeedback is enabled in sudoers, the stack overflow may allow
  unprivileged users to escalate to the root account,” the advisory
  stated. “Because the attacker has complete control of the data used to
  overflow the buffer, there is a high likelihood of exploitability.

  The sudo [34]version history shows that the vulnerability was
  introduced in 2009 and remained active until 2018, with the release of
  1.8.26b1. Systems or software using a vulnerable version should move to
  version 1.8.31 as soon as practical. Those who can’t update right away
  can prevent exploits by making sure pwfeedback is disabled. To check
  its status, run:
   sudo -l

  If pwfeedback is listed in the outputted “Matching Defaults entries,”
  the sudoers configuration is vulnerable on affected sudo versions. The
  following is an example of output that indicates a vulnerable sudo
  configuration:
   $ sudo -l
   Matching Defaults entries for millert on linux-build:
       insults, pwfeedback, mail_badpass, mailerpath=/usr/sbin/sendmail

   User millert may run the following commands on linux-build:
       (ALL : ALL) ALL

  Disabling pwfeedback involves using the [35]visudo command to edit the
  sudoers file and adding an exclamation point so that
Defaults pwfeedback

  Becomes:
Defaults !pwfeedback

  The vulnerability was reported by Joe Vennix from Apple’s information
  security group.

  [36]Expand full story

Promoted Comments

    *
  [37]balazer Ars Centurion
  [38]jump to post
      "While pwfeedback is not enabled by default in the upstream version
      of sudo, some systems, such as Linux Mint and Elementary OS, do
      enable it in their default sudoers files. "
      [39]https://www.sudo.ws/alerts/pwfeedback.html
      "pwfeedback is not enabled in Ubuntu"
      [40]https://people.canonical.com/~ubuntu-se ... 18634.html
  288 posts | registered 11/20/2015

  [41]Reader comments 75

  You must [42]login or create an account to comment.

    * [43]Share
      -
    * [44]Tweet
    * [45]Reddit
      -

  [46][Dang.jpg]

  [47]Dan Goodin / Dan is the Security Editor at Ars Technica, which he
  joined in 2012 after working for The Register, the Associated Press,
  Bloomberg News, and other publications.
  Advertisement
   [48]← Older Story [49]Newer Story →

  [50][condenast-logo.png]
  CNMN Collection
  WIRED Media Group
  © 2020 Condé Nast. All rights reserved. Use of and/or registration on
  any portion of this site constitutes acceptance of our [51]User
  Agreement (updated 1/1/20) and [52]Privacy Policy and Cookie Statement
  (updated 1/1/20) and [53]Ars Technica Addendum (effective 8/21/2018).
  Ars may earn compensation on sales from links on this site. [54]Read
  our affiliate link policy.
  [55]Your California Privacy Rights | Do Not Sell My Personal
  Information
  The material on this site may not be reproduced, distributed,
  transmitted, cached or otherwise used, except with the prior written
  permission of Condé Nast.
  [56]Ad Choices

  IFRAME: [57]https://js-sec.indexww.com/um/ixmatch.html

References

  1. http://feeds.arstechnica.com/arstechnica/index/
  2. https://www.googletagmanager.com/ns.html?id=GTM-NLXNPCQ
  3. https://arstechnica.com/
  4. https://arstechnica.com/gadgets/2020/02/the-poco-x2-smartphone-packs-a-120hz-display-six-cameras-for-225/
  5. https://arstechnica.com/tech-policy/2020/02/amazon-ring-now-lets-users-opt-never-to-receive-police-video-requests/
  6. https://arstechnica.com/information-technology/
  7. https://arstechnica.com/gadgets/
  8. https://arstechnica.com/science/
  9. https://arstechnica.com/tech-policy/
 10. https://arstechnica.com/cars/
 11. https://arstechnica.com/gaming/
 12. https://arstechnica.com/civis/
 13. https://arstechnica.com/newsletters/
 14. https://arstechnica.com/store/product/subscriptions/
 15. https://arstechnica.com/store/
 16. http://arstechnica.com/information-technology/2020/02/serious-flaw-that-lurked-in-sudo-for-9-years-finally-gets-a-patch/?view=grid
 17. http://arstechnica.com/information-technology/2020/02/serious-flaw-that-lurked-in-sudo-for-9-years-finally-gets-a-patch/?mobile_theme=light
 18. http://arstechnica.com/information-technology/2020/02/serious-flaw-that-lurked-in-sudo-for-9-years-finally-gets-a-patch/?mobile_theme=dark
 19. https://arstechnica.com/civis/ucp.php?mode=login&return_to=/information-technology/2020/02/serious-flaw-that-lurked-in-sudo-for-9-years-finally-gets-a-patch/
 20. https://arstechnica.com/civis/ucp.php?mode=register
 21. https://arstechnica.com/civis/ucp.php?mode=sendpassword
 22. https://arstechnica.com/civis/ucp.php?mode=resend_act
 23. https://arstechnica.com/information-technology/
 24. https://arstechnica.com/author/dan-goodin/
 25. https://arstechnica.com/civis/ucp.php?mode=login&return_to=/information-technology/2020/02/serious-flaw-that-lurked-in-sudo-for-9-years-finally-gets-a-patch/
 26. https://arstechnica.com/information-technology/2020/02/serious-flaw-that-lurked-in-sudo-for-9-years-finally-gets-a-patch/?comments=1
 27. https://cdn.arstechnica.net/wp-content/uploads/2020/02/sudo.jpg
 28. https://xkcd.com/149/
 29. https://arstechnica.com/information-technology/2015/08/how-security-flaws-work-the-buffer-overflow/
 30. https://www.sudo.ws/news.html
 31. https://support.apple.com/en-us/HT210919
 32. https://lists.debian.org/debian-lts-announce/2020/02/msg00002.html
 33. https://www.sudo.ws/alerts/pwfeedback.html
 34. https://www.sudo.ws/news.html
 35. https://www.sudo.ws/man/1.8.17/visudo.man.html
 36. https://arstechnica.com/information-technology/2020/02/serious-flaw-that-lurked-in-sudo-for-9-years-finally-gets-a-patch/
 37. https://arstechnica.com/civis/memberlist.php?mode=viewprofile&u=516759
 38. https://arstechnica.com/information-technology/2020/02/serious-flaw-that-lurked-in-sudo-for-9-years-finally-gets-a-patch/?comments=1&post=38619736#comment-38619736
 39. https://www.sudo.ws/alerts/pwfeedback.html
 40. https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-18634.html
 41. https://arstechnica.com/information-technology/2020/02/serious-flaw-that-lurked-in-sudo-for-9-years-finally-gets-a-patch/?comments=1
 42. https://arstechnica.com/civis/ucp.php?mode=login
 43. https://www.facebook.com/sharer.php?u=https://arstechnica.com/information-technology/2020/02/serious-flaw-that-lurked-in-sudo-for-9-years-finally-gets-a-patch/
 44. https://twitter.com/share?text=Serious flaw that lurked in sudo for 9 years hands over root privileges&url=https://arstechnica.com/information-technology/2020/02/serious-flaw-that-lurked-in-sudo-for-9-years-finally-gets-a-patch/
 45. https://www.reddit.com/submit?url=https://arstechnica.com/information-technology/2020/02/serious-flaw-that-lurked-in-sudo-for-9-years-finally-gets-a-patch/&title=Serious flaw that lurked in sudo for 9 years hands over root privileges
 46. https://arstechnica.com/author/dan-goodin
 47. https://arstechnica.com/author/dan-goodin
 48. https://arstechnica.com/gadgets/2020/02/the-poco-x2-smartphone-packs-a-120hz-display-six-cameras-for-225/
 49. https://arstechnica.com/tech-policy/2020/02/amazon-ring-now-lets-users-opt-never-to-receive-police-video-requests/
 50. http://www.condenast.com/
 51. https://www.condenast.com/user-agreement/
 52. https://www.condenast.com/privacy-policy/
 53. https://arstechnica.com/amendment-to-conde-nast-user-agreement-privacy-policy/
 54. https://arstechnica.com/affiliate-link-policy/
 55. https://www.condenast.com/privacy-policy/#california
 56. https://www.condenast.com/online-behavioral-advertising-oba-and-how-to-opt-out-of-oba/#clickheretoreadmoreaboutonlinebehavioraladvertising(oba)
 57. https://js-sec.indexww.com/um/ixmatch.html

You are viewing proxied material from 1436.ninja. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.