Buffer Overflow In Older Sudo Versions Could Be Used To Get Root On Elementary OS, Linux Mint

[steven36]

Malicious users could potentially use a buffer overflow in specific older sudo versions to gain root access if sudo is configured to provide visual feedback when passwords are entered.

 

 

 

 

This is not the default on most GNU/Linux distributions and it is not the default upstream. Some distributions, such as Elementary and Linux Mint, do enable the optional pwfeedback feature to provide users with visual feedback when a password is entered. You may want to check if you are using an affected sudo version and make sure pwfeedback is disabled if you are.

 

Sudo versions 1.7.1 to 1.8.25p1 are vulnerable to a buffer overflow if the non-default pwfeedback option is enabled in /etc/sudoers. pwdfeedback makes sudo provide visual feedback when a password is entered. There is no feedback at all unless this option is enabled. No visual feedback is better from a security perspective but it is not very user friendly. The majority of GNU/Linux distributions do not ship with pwdfeedback enabled and it is not the default in the upstream sudo package.

The vulnerability is assigned CVE-2019-18634.

 

Sudo versions 1.8.26 through 1.8.30 are not affected due to a totally unrelated change in EOF handling introduced in sudo 1.8.26. Current sudo versions are not affected.

There are two different problems with the pwfeedback implementation in the affected sudo versions which lead to disaster:

 

• pwfeedback is not ignored when sudo is reading from sources other than a terminal and a line erase character with an initial value of 0 gets saved in the non-terminal case.
• The code which removes the line of asterisks providing password feedback does not reset the buffer position properly if there is any kind of write error - but it does reset the remaining buffer length. The result is that getln() can write past the end of the intended buffer.

 

Do note that sudo privileges are not required. Any user on a system where pwfeedback is enabled can potentially exploit this.

 

There are no know examples of proof of concept code using this stack overflow vulnerability as of yet. That does not mean there won't be:

 

"If pwfeedback is enabled in sudoers, the stack overflow may allow unprivileged users to escalate to the root account. Because the attacker has complete control of the data used to overflow the buffer, there is a high likelihood of exploitability."

 

sudo.ws altert: Buffer overflow when pwfeedback is set in sudoers

 

Don't Panic

 

You can run sudo -V ; sudo -l to see what sudo version you have and what options and rights are enabled. If that shows sudo versions 1.7.1 to 1.8.25p1 and it shows that pwfeedback is enabled then you're affected by this. The changes of those two things being true is slim.

 

Most distributions will have a newer version of sudo. The last affected version, 1.8.25p1, was released in August 2018. Some systems, like those running CentOS 7.7, do have an affected sudo version. However, pwfeedback is not the default in the upstream sudo package and it is not a default on CentOS or the vast majority of GNU/Linux distributions. Using a vulnerable sudo version is fine if the pwfeedback feature is disabled.

 

Elementary and Linux Mint do enable the pwfeedback option so you will want to either upgrade sudo to a safe version or set Defaults !pwfeedback in /etc/sudoers if you are using one of those distributions.

 

Source

 

[steven36]

If you see asterisks when typing your password in the terminal then pwfeedback has been enabled and if you running old  Sudo versions your affected and need to disable pwfeedback and wait on a update if you want to enable it  back . It not enabled at all in Ubuntu  .