10-year-old Sudo Bug Allows Linux Users to Become Superuser

Simple tricks gives Super Admin privileges to low privilege users

The support team for the Sudo utility, which allows Linux administrators to delegate limited superuser rights to other users, has released a hotfix for a serious vulnerability .

The buffer overflow vulnerability, dubbed CVE-2021-3156 and dubbed Baron Samedit, was discovered by the audit firm Qualys two weeks ago and was fixed on Wednesday, January 27, with the release of Sudo 1.9.5p2. With its help, an attacker with access to an account with low privileges can gain superuser rights even if the account is not in the / etc / sudoers list, a configuration file that controls users who are allowed access to the su and sudo commands.

As the developers of Sudo explained, when the utility runs a command in shell mode using the -s or -i command line option, the special characters in the command arguments are escaped with a backslash. Before evaluating the sudoers policy not expecting any escaped characters, the policy plugin removes those characters from arguments if the command is run in shell mode.

As a result, the command will be read after the last character of the line if it ends with an unescaped backslash. Under normal circumstances, this error would be harmless, as Sudo avoids all backslashes in command arguments. However, due to another error, this time in the command line parsing code, you can run sudoedit with the -s or -i options, setting a flag indicating that shell mode is enabled. Since the command is not actually executed, Sudo does not escape any special characters. Finally, the code that decides whether to remove escaped characters does not check if the command is actually being executed, but only sees the shell flag set. This mismatch leads to a security vulnerability.

The vulnerability has existed in Sudo since July 2011 and affects all versions of the utility over the past ten years. According to Qualys experts, they were able to reproduce the vulnerability and develop several variants of exploits for Ubuntu 20.04 (Sudo 1.8.31), Debian 10 (Sudo 1.8.27) and Fedora 33 (Sudo 1.9.2), however, other operating systems and distributions.