Flaw In Sudo Enables Non-Privileged Users To Run Commands As Root (thehackernews.com) 139
exomondo shares a report from The Hacker News: A vulnerability has been discovered in Sudo -- one of the most important, powerful, and commonly used utilities that comes as a core command installed on almost every UNIX and Linux-based operating system. The vulnerability in question is a sudo security policy bypass issue that could allow a malicious user or a program to execute arbitrary commands as root on a targeted Linux system even when the "sudoers configuration" explicitly disallows the root access. Sudo, stands for "superuser do," is a system command that allows a user to run applications or commands with the privileges of a different user without switching environments -- most often, for running commands as the root user.
The vulnerability, tracked as CVE-2019-14287 and discovered by Joe Vennix of Apple Information Security, is more concerning because the sudo utility has been designed to let users use their own login password to execute commands as a different user without requiring their password. What's more interesting is that this flaw can be exploited by an attacker to run commands as root just by specifying the user ID "-1" or "4294967295." That's because the function which converts user id into its username incorrectly treats -1, or its unsigned equivalent 4294967295, as 0, which is always the user ID of root user. The vulnerability affects all Sudo versions prior to the latest released version 1.8.28, which has been released today.
The vulnerability, tracked as CVE-2019-14287 and discovered by Joe Vennix of Apple Information Security, is more concerning because the sudo utility has been designed to let users use their own login password to execute commands as a different user without requiring their password. What's more interesting is that this flaw can be exploited by an attacker to run commands as root just by specifying the user ID "-1" or "4294967295." That's because the function which converts user id into its username incorrectly treats -1, or its unsigned equivalent 4294967295, as 0, which is always the user ID of root user. The vulnerability affects all Sudo versions prior to the latest released version 1.8.28, which has been released today.
damn, who told on us (Score:5, Funny)
... a few more days and all your bases belong to us ...
Re:damn, who told on us (Score:5, Funny)
Greaaaat, now i'll never get my sandwich.
Re: (Score:2)
SUDO get me sandwhich
Whats the password
"I love you"
Get free sandwich.
Not many systems vulnerable (Score:5, Informative)
This requires that the user be set up in /etc/sudoers to be allowed to run commands as another non-root user.
That's a fairly unusual configuration.
Re: (Score:2)
In corporate environments it's not as unusual as you'd think.
Re: (Score:3)
In corporate environments it's not as unusual as you'd think.
I think you're wrong.
It's pretty common in corporate environments to give some users (actually, groups) the ability to run certain commands as a certain other user, but that's not a scenario that would allow this bug to be exploited. For this to work, you have to have some users with the ability to run commands as any user but root. I can't think of any situation in which it would make sense to allow someone to impersonate any other user or non-root system daemon, but not be root. You would be giving t
Re: (Score:2)
You might want to give a DBA the ability to restart the database so they get access as mysql or postgres user which would allow them to do that without being able to generally be root on the machine.
However this has got to be a pretty rare scenario.
Re: (Score:2)
You might want to give a DBA the ability to restart the database so they get access as mysql or postgres user which would allow them to do that without being able to generally be root on the machine.
However this has got to be a pretty rare scenario.
Then you'd give them sudo access to "dbadmin", "postgress" or a similar user, not everyone but root
Re: (Score:2)
Well... no.
You're right in a well set up environment, but you can rest assured that lazy configuration trumps security. Instead of creating 10 different groups for 10 different sudo scenarios, such a "you can impersonate everyone but root" rule would probably satisfy most compliance requirements and mean little work for the administrators when setting up rules.
It should be rare, I give you that. But I highly doubt that it is.
Re: (Score:2)
such a "you can impersonate everyone but root" rule would probably satisfy most compliance requirements
Only if the compliance auditor is an idiot... okay, I concede your point.
Re: (Score:2)
Outside heavily regulated environments, and even many of those seem to work the loopholes.
Re: Not many systems vulnerable (Score:2)
This requires that the user be set up in /etc/sudoers to be allowed to run commands as another non-root user.
That's a fairly unusual configuration.
Unusual? ... what?
Is it unusual to run services or own files as something other than root?
So would it be unusual to let non-admins run commands as that service account, to administer the service without being given root to insecure things like less and vi and ... well basically everything is unsafe for untrusted users to run as root.
It would be unusual for multiple people to be logged into a Linux laptop, but that has shit to do with the severity of this on managed unix servers that have actual users.
Re: (Score:2)
It's very common to have a "service account" than can run specific privileged operations. This especially includes backup operations and filesystem commands.
Re: (Score:3)
Good thing thing this flaw doesn't affect them then.
This needs a sudo user who can run as *any* user other than root, (so not privileged, or wasn't, until this flaw was found.)
The only example I can think of is someone who runs tech support on systems with multiple users, who has to execute commands as the user they are trying to assist...something like virtual machine hosts for cloud vm's? (linode, hostgator, etc.)
Re: (Score:2)
The only example I can think of is someone who runs tech support on systems with multiple users, who has to execute commands as the user they are trying to assist...something like virtual machine hosts for cloud vm's? (linode, hostgator, etc.)
Adding on to your comment, I think that SELinux can throw a wrench into your example. Switching users doesn't necessarily switch contexts so even if you're now "that user," you're still not "that user." It doesn't quite make sense, but I've seen it happen that way.
With user id 4294967295? (Score:3)
Is it common (or even possible) to have service accounts with userid 4294967295? Because that's what's required. If you let someone run as 4294967295, they can also run as root. Because 4294967295 is 2^32 - 1.
Re: With user id 4294967295? (Score:3)
Nice.
It would have been great if the summary or linked article wasn't written specifically to scare the shit out of people, and we didn't then have to scroll through a page of comments defending a non-existent but objectively bad situation where sudo to _another_ user was affected.
(ALL, !root) or I guess (4294967295) maybe?
If that's what it really takes, that should be rare, I hope anyway.
Yeah (Score:2)
Agreed, the summary should have mentioned "a very rare configuration".
Re: (Score:2)
It is fairly unusual. Also, quite a few people will still just su to root and never do any sudo config at all.
Re: (Score:2)
"su to root" requires a local root password. AWS hosts built from almost any published host image enables sudo for the "ec2-user" addount, or perhaps "centos" account, and has a locked root password.
Re: (Score:2)
I never understood this stupidity. Giving root functionality to normal users via sudo is worse than using proper root access.
Anyways, AWS host images are not the standard for Unix system configurations, even if apparently some people know nothing else.
Re: (Score:2)
Re: (Score:2)
And as soon as you screw up, they can become root.
"Proper" root access is logging in as user root.
Re: (Score:2)
Re: (Score:2)
It does work. I have seen it done this way on high-criticality systems. Of course, on these systems everything gets logged, you have to state a reason for the root-log in before being allowed to and on same machines you need an open support ticket assigned to you and the activity logs actually get reviewed.
My point is that "sudo" is not really a good idea. If you need users to do root things without root login, use the suid bit. Otherwise have a trusted administrator do things as root.
Re: (Score:2)
Indeed. And that is the whole problem with the "sudo" idea. It is basically a privilege elevation attack made a system feature.
Re: (Score:2)
Re: (Score:2)
Simple: You do a log-in as root when you need it. The logging is basically worthless unless somebody actually looks at the logs.
Re: (Score:2)
In any enterprise environment, separation of admin and day-to-day accounts is essential. Each admin has to have their own account, sharing the root password is just not a good idea.
Re: (Score:2)
The headline is bogus... it should be allows "Privileged users to run commands as root".
If you have been blessed with the power to run commands as ANY user you want, then you are still specially privileged, even though you are not fully privileged.
Its a rare/unusual configuration to say (all, !root) --- the people using this configuration on their systems should probably KNOW there are going to exist some ways that access can be abused to ultimately circumvent the intended !root rule - If not withi
Re: (Score:2)
or to be in the sudo group, which most users are by default.
On which distros? Not Debian (unless something changed very recently).
Re: (Score:2)
I think for Ubuntu, the initial user is in sudoers by default---but that initial user isn't the user you are worried about (if some crazy admin is using Ubuntu for a multi-user server in the first place).
Re: (Score:2)
Re: (Score:3)
The headline uses confusing language by describing the users as "Non-Privileged" who have
been given permission to run commands as ANY user Except root. Even most restricted sudo configurations are safe. For example, even with
Cmnd_Alias TACACS_RELOAD = /etc/init.d/tac_plus restart, /etc/init.d/radiusd restart /sbin/reboot
Defaults!TACACS_RELOAD !requiretty
%foobar ALL = (authsys) TACACS_RELOAD
%foobar ALL = (ALL)
This sudo vulnerability would not give foobar any additional permissions. Only if t
Re: (Score:2)
Some, not many, do include the initially installed user in the sudo group, but for them the flaw doesn't exactly apply either because they have the right to impersonate root.
On most distros, you actually have to add the user to the sudo group.
Re: (Score:2)
Well... most people aren't in /etc/sudoers at all - and therefore can't exploit this bug. And in the simplest configuration (what you're referring to, I imagine), people who are in /etc/sudoers will have root access already - rendering this bug pointless for them.
However (assuming I've interpreted this correctly) if you've given someone only limited sudo permissions, this bug can be exploited by those users to basically get full root access.
I'm not sure how common that sort of limited sudo access is used, t
Re: (Score:2)
It's actually a bug in C's XtoY functions, e.g. atol(), which return zero on error. So you can get to UID = root by entering zero, or by entering something that atol() chokes on. I've used that one in the past to get root on some systems I was running pen-tests for.
Another useful trick burned, sigh. Still, there's bound to be a ton of XtoY-using code that'll never get fixed, so this will keep working for a long time.
Re: (Score:3)
They used the strtoX function set. Which you stlll need to be careful with but which can be used safely, unlike atoi where you pretty much have to have known-sane input or you are toast.
Re: Not many systems vulnerable (Score:2)
We use it to give Travis limited access to restart services during deployments. I'd say we should find a workaround, but this sounds like something that will probably be fixed very quickly.
Re: (Score:2)
I have seen limited sudo access used before.... often on LARGE systems. Honestly; the first time I saw it used like this was on voyager.abac.com in the 1990s -- this was a unix machine ultimately administered by one person but various folks had shell access for internet usage, posting websites, etc A similar Public Access Unix system was "Nether.net".
There would be a number of users, but a system ultimately managed by 1 person. They may have used sudo to grant some deputy officers or more trusted u
Re: Not many systems vulnerable (Score:2)
Re: (Score:2)
It is only useful if a user is set to run as another non-root user.
Even more unusual they must be set to run as any non root user (ALL, !root). Just allowing someone to run as "dbadmin" or specific users won't enable this bug.
Re: (Score:2)
I think it would be difficult to exploit if they can only run specific commands, but maybe someone will correct me.
Re: (Score:2)
Only sudoers entries where the ALL keyword is present in the Runas specifier are affected. For example, the following sudoers entry is unaffected:
/usr/bin/id
alice myhost =
Re: Not many systems vulnerable (Score:4, Insightful)
It does no such thing. I apologize. I didn't know you were such an idiot.
I have no idea where you got this ridiculous idea. The application can't run things as a different user, root or otherwise, unless it knows the users password*, which it doesn't. At no time can an application do anything a user can't do from the command line, and an application running as the user cannot exploit this in any way that can't be done from the command line. Try to get a basic understanding of sudo, Linux, DAC, and other basic security concepts before continuing to make yourself look foolish.
* This assumes sudo is configured to require the user to enter a password. There is also the NOPASSWD option.
Try it. Or read carefully (Score:3)
If you think it bypasses thr password check, try it. Test it out. Run:
sudo -1 whoami
Or read TFS carefully. What the bug does is allow someone to choose root as the uid - even of noroot is set. That doesn't have anything to do with the password check, and doesn't bypass the password check.
Re: (Score:3)
sudo -1 whoami
Invalid option --1
sudo -u -1 whoami
unknown user -1 So, this is a non issue.
Re: (Score:2)
Re: (Score:2)
Just checked on my CentOS 7 and 8 boxes, and
sudo: unknown user: -1
So maybe it's more complicated than that?
Sam
Re: (Score:2)
try
sudo -u '#-1' whoami
Debian 9 updated sudo this morning (Score:2)
I don't know for the others ;-)
Because JavaScript shouldn't be allowed to fdisk (Score:5, Informative)
> Then why bother with a user account and sudo at all? Why not just run as root?
Because your web browser or calculator shouldn't be allowed to reformat your hard drive. Running your login session as root means all of the programs you use run as root. Which gives them all access to do anything the wants to the operating system (modulo Selinux).
What you want to do is is run your email client and word processor as a normal user, which doesn't have the ability to mess with the *system*. Then once in a while when you want to run one program/command that DOES messs with the operating system, you use sudo.
-
Note this describes the classic Linux security model, called Discretionary Access Control, in which access was based on the user. In 2000-2003 Linux gained mandatory access control (MAC), which instead says only a certain "program* run by a certain user has access to a certain thing. Under MAC (such as selinux), your browser couldn't reformat a hard drive, only the fdisk program can do that. So really this is only allows them to run with full access i if you're using sudo in a strange way (it's normally used to grant root access), and you've turned off selinux, thereby bumping your security back by over 15 years. Yeah, people do that.
Windows will probably upgrade to MAC in a few years. In 2005 Windows added support for user access in-between "regular user" and "Administrator", which they call MIL.
Re: (Score:2)
In 2000-2003 Linux gained mandatory access control (MAC) [...] Under MAC [...]
It sounded like you had a rather informative bit of nerdy information to share with the rest of us nerds, but then it became obvious that you don't even know the difference between a Linux machine and an Apple computer. It's kinda hard to take anything you say seriously after such an egregious faux pas.
Windows will probably upgrade to MAC in a few years.
This is the only thing you've said that makes any sense. A lot of us have been beating the drum saying that Macs are an upgrade from Windows for as long as I can remember!
</tongue very much so in cheek>
Lol (Score:2)
Since I discussed Linux, then Windows, before bringing up MAC, I was wondering if perhaps some readers would be confused. Linux, Windows, Mac makes sense. :)
So I'm glad you explicitly marked your comment as tongue-in-cheek - without seeing the facial expression or hearing time of voice it can be hard to be certain.
Anyway, I also just learned that Mac sometimes uses a version of MAC. It's used for pre-installed applications that are at high risk because they connect to the internet, including Safari, Mail,
Re: (Score:2)
I'm glad you explicitly marked your comment as tongue-in-cheek - without seeing the facial expression or hearing time of voice it can be hard to be certain.
Yeah, Poe's Law [wikipedia.org] being what it is, I'm never confident in my ability to convey humor via an intentionally absurd comment without it coming across as a troll post or someone who is utterly clueless.
And yes, between Gatekeeper [apple.com], sandboxing of Mac App Store apps, and SIP [apple.com], macOS seems to support much of what's being discussed, though it's not quite a 1:1 match.
Re:Not many systems vulnerable (Score:4, Informative)
RTFA, it has to be set up to allow a user to run a specific command as "any other user except root", and the bug allows a user to become root by specifying a user ID of "-u#-1". While not an uncommon thing to configure sudo for, it is most definitely not a "stock configuration".
myhost bob = (ALL, !root) /usr/bin/vi
Lol no (Score:2)
If you can point to any distro, not made by you, that by default puts all users in sudoers and with noroot, I'll eat my sock.
Re: (Score:2)
Does it count if I make one for him?
sudo does not stand for superuser do (Score:2, Informative)
Re:sudo does not stand for superuser do (Score:5, Informative)
The "su" in sudo stands for switch user or substitute user and not superuser.
From the original V5 unix code:
/* su -- become super-user */
su.c [tuhs.org]
You can also look at the sudo.c code from Todd Miller back in 1993:
sudo version 1.1 allows users to execute commands as root
sudo.c [www.sudo.ws]
Indeed options were added later to be able to choose different users so redefining the "su" to mean switch user or substitute user may make more sense now but certainly it was originally "super-user".
Re: (Score:2, Informative)
And in version 7 Unix (1979, long before 1993) the source code clearly shows that su could switch to any valid user. Therefore I don't think it's fair to that the options were "added later" (the options for su to accept any user were there long before sudo became a standard command)
https://minnie.tuhs.org/cgi-bi... [tuhs.org]
Re:sudo does not stand for superuser do (Score:5, Informative)
And in version 7 Unix (1979, long before 1993) the source code clearly shows that su could switch to any valid user.
Yes, like I said that was added later, version 7 came after version 5. See su.c [tuhs.org]. The original code for su was to elevate to super-user only (see code in version 5), later in version 7 the ability to switch to any user was added.
So su was super-user with others added later. Next we can look at the history of sudo the same thing happened, in 1993 the code [www.sudo.ws] was purely for super-user then later the ability to switch to different users was added.
Re: (Score:3)
Yes, like I said that was added later, version 7 came after version 5.
[Citation Needed]
Re: (Score:2, Informative)
In addition to the source code, the man page for V7 Unix su (https://minnie.tuhs.org/cgi-bin/utree.pl?file=V7/usr/man/man1/su.1) says "substitute user".
and the man page for V4 which predates V7 says "super-user" (https://minnie.tuhs.org/cgi-bin/utree.pl?file=V4/man/man8/su.8). It was always super user and others were added later.
Since V7 Unix predates sudo it is more correct to say that the su in sudo stands for "substitute user"
V4 predates V7 and the original code for sudo (not su) was superuser also. su was superuser with others added later. sudo was superuser with others added later.
Yet another C-based security bug (Score:3, Funny)
Almost certainly the result of an integer overflow. Any decent language (like Visual Basic!) would trap that and simply fail fast. But not C.,
And no, it does not slow things down with a proper programming language because the traps happen in hardware. No overhead.
Re: (Score:2)
Re: (Score:2)
Re: Yet another C-based security bug (Score:2, Insightful)
Maybe Rust? (Score:2)
I would not use VB for a kernal for practical reasons. But as a language it could be used for much of the kernal.
Maybe Rust? There are definitely better choices than C.
Re: (Score:2)
Hey, be nice to kern-all (Score:2)
If we gently educate him, maybe he'll eventually learn the word is kernel, then learn what a kernel is.
Re: Hey, be nice to kern-all (Score:2)
Re: (Score:2)
Tomorrow or whenever we're disagreeing about politics and you think I'm an asshole, and I think you're an asshole, we'll both be right. :). But sometimes it's fun to be an asshole.
Re: Maybe Rust? (Score:2)
Re: (Score:2)
Re: (Score:2)
And no, it does not slow things down with a proper programming language because the traps happen in hardware. No overhead.
Um... No. Sorry, but the trap doesn't happen in hardware. The hardware sets a flag, but does not act on it unless you specifically add code to check it and do something if it is set.
Re: (Score:2)
Sadly, that has become true.
Earlier systems like MIPS and VAX had overflow traps. But the popularity of C has crippled hardware architectures, and this is one example of that.
Still, most of the time performance is not critical. So the extra instruction does not matter. And when performace is critical use the non-trapping operator, maybe +.
That said, I think Risk V does not even have an overflow bit. So it looks like C is winning.
Good for us software engineers, I suppose. Keeps the work up.
Re: Yet another C-based security bug (Score:2)
Depends on the instruction I suppose, and I shouldnâ(TM)t have assumed we were talking about intel/amd architecture, but doing a trap even in hardware automatically would severely complicate doing multi word arithmetic where overflow/carry is not an exceptional circumstance and likely performance. And these things apply not only to C, but also assembly and machine language.
Re: (Score:2)
I think you found a way to slow Linux down to the point where Windows would look like a viable alternative.
Re: (Score:2)
Sorry, the bullshit lies with you,.
In Visual Basic, if you try to convert from one size integer to another and it does not fit you get a nice little exception. Not a security breach. That is how any decent programming language should work.
Sure, you very occasionally want to truncate. But that should be the exception rather than the rule.
I recently had a fine time chasing down a bug in C++ that also involved the other C idiocy. Counting from 0. So when something is not found, returns max size_t. Put th
Re: (Score:2)
Sorry, the bullshit lies with you,.
In Visual Basic, if you try to convert from one size integer to another and it does not fit you get a nice little exception.
Which means your software does not work. This conversion is not an accident, you _need_ to do this conversion here. You really have no clue what you are talking about. Maybe have a look at the patch?
Sudon't you want me baby (Score:4, Funny)
I was working as a waitress in a cocktail bar
That much is true
Apologies in advance if the tune is stuck in your head all day. Happy 50th Unix =)
Re: (Score:2)
It's much too late to find
You think you've changed your mind
You'd better change it back or we will both be sorry
I hate you. I was just about to forget that damn song!
We finally know what Genesis meant (Score:3)
Sususudio is a hacker. Just say the word is the password. It all makes sense now.
is there enough revision history? (Score:2)
Affects 0.0000001% of systems, so not a backdoor (Score:3)
Yes, the revision history is there. It's been like that ever since sudo started letting you specify a user other than "root" to sudo to. I can tell you who introduced that code - Todd Miller has been writing almost all of the sudo code since 1993 or so. He committed the code that garp@opustel.com wrote to allow sudo to be used to switch to a user other than root.
https://www.sudo.ws/repos/sudo... [www.sudo.ws]
It would be the worst idea for a backdoor ever. Sudo is normally used to let someone run a command as root. F
an old vulnerability (Score:2)
Re: (Score:2)
I'm too sleepy to analyze code but reading the patch there's a lot of integer type size wrangling, so perhaps on some old enough systems one of their internal types was 32 bit and is now 64. So possibly. On extremely old systems.
Re: (Score:2)
About as "glaring" as starlight reflected off of a bed of moss. As in, you can't even see it.
Re: (Score:2)
Re: (Score:2)
Well, glaring... the vulnerability is very specific, it requires a very special kind of configuration ("may run anything as anyone except root") AND finding the associated exploit.
Re: (Score:2)
Unknown user -1 (Score:2)
Re: (Score:2)
sudo -u#-1 su
Will work if your system has not been updated, won't work if it has.
But in every system I've ever administered, it does exactly the same thing as sudo su, so it is not relevant to most people.
Root being UID zero was a mistake. (Score:3)
Linux using ID 0 as root always bothered me, since there are so many ways to get to zero. It's as simple as just not initializing the UID variable from empty memory. Or passing an invalid string to atoi(). Or 'UID-=UID;' or any number of underhanded/accidental ways.
root UID should have been randomly (from an admin configured range) per-system on install, with an easy to use/detect 'getRootUID' function so it would be near impossible to 'accidentally' give root access like this, and could be easily tracked in source code.
Reminds me of a joke... (Score:3)
First real customer walks in and asks where the bathroom is. The bar bursts into flames, killing everyone."
No worries... this has already been fixed... (Score:2)
...in the latest version of systemd.
The bug is that it does what it's designed to do (Score:2)
> "Well, It's not that big of a deal, I mean, who uses sudo amirite?"
Do you know what sudo is used *for*? Do you know what the letters stand for? let's have a look at the first sentence of the readme for sudo:
https://www.sudo.ws/readme.htm... [www.sudo.ws]
Here, I'll quote it for you so that you don't have to click:
"Sudo is a program designed to allow a sysadmin to give limited root privileges to users and log root activity."
In other words, the purpose of sudo is so that a user can run a command as root, if the admin
Re: (Score:2)
Re: (Score:2)
This is why the "everyone can code" movement is ridiculous. Software is damn hard to write and even highly competent experts make criti