Heap-based buffer overflow in Linux Sudo allows local users to gain root privileges

Pierluigi Paganini January 27, 2021

CVE-2021-3156 Sudo vulnerability has allowed any local user to gain root privileges on Unix-like operating systems without authentication.

Sudo is one of the most important, powerful, and commonly used utilities that comes as a core command pre-installed on macOS and almost every UNIX or Linux-based operating system.

sudo is a program for Unix-like computer operating systems that allows users to run programs with the security privileges of another user, by default the superuser. It originally stood for “superuser do” as the older versions of sudo were designed to run commands only as the superuser.

The Sudo CVE-2021-3156 vulnerability, dubbed Baron Samedit, could have been exploited by any local user to gain root privileges on Unix-like operating systems without requiring authentication (i.e., the attacker does not need to know the user’s password).

The privilege escalation issue is a heap-based buffer overflow that was discovered by security researchers from Qualys.

The experts reported the vulnerability on January 13th, but it was publicly disclosed only this week to give the development team the time to address the issue.

“Sudo before 1.9.5p2 has a Heap-based Buffer Overflow, allowing privilege escalation to root via “sudoedit -s” and a command-line argument that ends with a single backslash character:” reads the description published by Mitre.

The vulnerability is caused by Sudo incorrectly handling backslashes in the arguments.

The vulnerability was introduced in July 2011 (commit 8255ed69), and affects all versions from 1.8.2 to 1.8.31p2 and all stable versions from 1.9.0 to 1.9.5p1, in their default configuration.

“When sudo runs a command in shell mode, either via the -s or -i command line option, it escapes special characters in the command’s arguments with a backslash. The sudoers policy plugin will then remove the escape characters from the arguments before evaluating the sudoers policy (which doesn’t expect the escape characters) if the command is being run in shell mode.” states the advisory published by the Sudo team.

“A bug in the code that removes the escape characters will read beyond the last character of a string if it ends with an unescaped backslash character. Under normal circumstances, this bug would be harmless since sudo has escaped all the backslashes in the command’s arguments. However, due to a different bug, this time in the command line parsing code, it is possible to run sudoedit with either the -s or -i options, setting a flag that indicates shell mode is enabled. Because a command is not actually being run, sudo does not escape special characters. Finally, the code that decides whether to remove the escape characters did not check whether a command is actually being run, just that the shell flag is set. This inconsistency is what makes the bug exploitable.”

Qualys researchers developed three exploits for this flaw that allowed them to achieve full root privileges on major Linux distributions, including Ubuntu 20.04 (Sudo 1.8.31), Debian 10 (Sudo 1.8.27), and Fedora 33 (Sudo 1.9.2). Experts pointed out that the CVE-2021-3156 exploits could also work on other distributions.

Below a video PoC for the CVE-2021-3156 vulnerability can be exploited is embedded below.

The Sudo contributors addressed the flaw with the release of the 1.9.5p2 version.

In February, 2020, the security expert Joe Vennix from Apple discovered an important vulnerability in ‘sudo‘ utility, tracked as CVE-2019-18634, that allows non-privileged Linux and macOS users to run commands as Root.

In October 2019. experts discovered another security policy bypass issue, tracked as CVE-2019-14287, that was disclosed in the Sudo utility installed as a command on almost every Linux and Unix system.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Intel)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment