This week we learned the Unix/Linux Sudo command can give you root access. Uh, no kidding.
Isn’t that the point? The clue is in the name: “super-user do.”
Well, yes and no. Way back in 1996, an option was added to allow unprivileged users to switch to other non-root users, but not to root.
Oh, unless you asked to switch to user ID 4294967295. In today’s SB Blogwatch, we track down the bug.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Bob Noyce.
Sanitize Your Inputs
What’s the craic? Lawrence Abrams reports—“Bug Lets You Run Commands as Root”:
A vulnerability in the Linux sudo command has been discovered that could allow … users to execute commands as root. … On a Linux operating system, unprivileged users can use the sudo … command to execute commands as root as long as they have been given permission or know the root user’s password.
[But] a bug has been discovered by … that allows users to launch a permitted sudo command as root by using either the -1 or 4294967295 UID in the sudo command. … It can only work if a user was given access to a command via the sudoers configuration file.
For example … if we utilize the sudo -u#-1 vim command to exploit this vulnerability, VIM will be launched as root. … Any commands that are executed from it are also run as root.
For those who do utilize sudoers directives for your users, you should upgrade … as soon as possible.
That doesn’t sound good. Chris Williams gives up and goes Homer—“More like Su-doh”:
Linux users who are able to run commands as other users, via the sudoer mechanism … can still run commands as root, thanks to a fascinating coding screw-up. … This security vulnerability, assigned CVE-2019-14287, is more interesting than scary: … Linux computers are not vulnerable by default.
However … you will probably will want to pay attention. … Say, -u#1234 can be used on the command line with Sudo to run the command … as user ID 1234. This user ID value is passed to the setresuid and setreuid system calls.
-u#-1 passes -1 to those calls to change the effective ID to -1. However, these system calls treat -1 as a special case: it means do not change the user ID. And seeing as Sudo runs as root initially, -1 means continue running as root.
Oops. Todd C. Miller is the go-to guy for all things Sudo—“Potential bypass of Runas user restrictions”:
When sudo is configured to allow a user to run commands as an arbitrary user via the ALL keyword in a Runas specification, it is possible to run commands as root by specifying the user ID -1 or 4294967295. … In addition, PAM session modules will not be run for the command.
The bug is fixed in sudo 1.8.28.
So who introduced the bug? Ray Morris worms his way into the repo: [You’re fired—Ed.]
the revision history is there. It’s been like that ever since sudo started letting you specify a user other than “root” to sudo to. I can tell you who introduced that code – Todd Miller has been writing almost all of the sudo code since 1993 or so. He committed the code that [Keith Garry Boyce] wrote to allow sudo to be used to switch to a user other than root.
It would be the worst idea for a backdoor ever. … The question is whether there actually are any systems anywhere on the planet configured … to let a user run a command as “any user other than root”.
In 20 years of working on Linux I’ve never … heard anyone mention it. … Those would be susceptible to this “backdoor” – if any such systems actually exist. It may well be that there are no vulnerable systems on the planet.
But Warm Braw thinks the problem goes deeper:
I had the misfortune to have to scratch the surface of sudo configuration recently, and there’s a lot of stuff most people are probably unaware of, it certainly surprised me. Sudo is really a terrible hack to get around the fact that by default Unix doesn’t have a permissions system for things other than devices and files, so the granularity of privileged access is basically YES/NO.
It’s not how security should be done. Given the growing number of permissions and controls for containers perhaps there’s hope for the future.
OK so not a huge deal, apparently. But Sean Kerner—@TechJournalist—worries we’re being complacent:
MAJOR sudo vulnerability. Hard to understate how crazy CVE-2019-14287 is from a policy perspective.
And J.G.Harston can’t be too careful:
If I want to do some admin tasks I log on as an admin user, into the admin user’s environment, with ADMIN ADMIN ADMIN ADMIN ADMIN ADMIN plastered across the backdrop. Allowing non-admin users to temporarily do admin-permission tasks encourages laziness, sloppiness and mistakes.
Such a simple bug. So @sneakerhax sums it up:
After all these years it’s still the simple **** that gets us.
Meanwhile, DontFeedTheTrolls is a self-confessed “boring geek”:
- 1 you say? … If I sit at 90 degrees am I elevated to the square root?
So much of the world we know was made possible by Bob Noyce, co-inventor of the integrated circuit.
You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites… so you don’t have to. Hate mail may be directed to @RiCHi or email@example.com. Ask your doctor before reading. Your mileage may vary. E&OE.