You are currently viewing Heap-Based Buffer Overflow in Sudo Allows Attackers to Gain Root Privileges

Heap-Based Buffer Overflow in Sudo Allows Attackers to Gain Root Privileges

  • Post author:
  • Reading time:4 mins read

The Vulnerability (CVE-2021-3156) exists in Sudo, a powerful utility to run programs with the security privileges of another user. The heap-based buffer overflow could allow an unprivileged local user to gain root privileges without any authentication on the affected systems. A vulnerability management software can be used here.

Vulnerability in sudo has been there for more than 10 years in Sudo. It is very likely that it affects  millions of users. However, an automated patch management tool can help remediate it.


Vulnerability in sudo Details

Baron Samedit discovered the issue, which can exploit by any user with minimum privileges on the affected system to gain root access. Even if the account is not listed in the /etc/sudoers, the config file controls and specifies the users who have access to su or sudo commands.

If sudo is run either with ‘- s’ or ‘- i’, which sets Sudo’s MODE_SHELL and MODE_LOGIN_SHELL flags. Then, at the start of Sudo’s main(), parse_args() rewrites argv by concatenating all command-line arguments and escaping all meta-characters with backslashes.

Latterly, set_cmnd() concatenates the command-line arguments into a heap buffer “user_args” and then unescapes the meta-characters for sudoers matching and logging.

--------------------------------------------------------------  
819     if (sudo_mode & (MODE_RUN | MODE_EDIT | MODE_CHECK)) { 
... 
852             for (size = 0, av = NewArgv + 1; *av; av++) 
853                 size += strlen(*av) + 1; 
854             if (size == 0 || (user_args = malloc(size)) == NULL) { 
... 
857             } 
858             if (ISSET(sudo_mode, MODE_SHELL|MODE_LOGIN_SHELL)) { 
... 
864                 for (to = user_args, av = NewArgv + 1; (from = *av); av++) { 
865                     while (*from) { 
866                         if (from[0] == '\\' && !isspace((unsigned char)from[1])) 
867                             from++; 
868                         *to++ = *from++; 
869                     } 
870                     *to++ = ' '; 
871                 } 
... 
884             } 
... 
886     } 
---------------------------------------------------------------------

The above code demonstrates that if a command-line argument ends with a single backslash character, then the function set_cmnd() becomes vulnerable to a heap-based buffer overflow. This is because the out-of-bounds characters copied to the “user_args” buffer are not in its size.

To reach the vulnerable code shown above, a loophole exists where we execute “sudoedit” instead of “sudo”. By executing it in this way parse_args() automatically sets MODE_EDIT but does not reset “valid_flags”, and “valid_flags” include MODE_SHELL by default.

It is possible to set both MODE_EDIT and MODE_SHELL by executing “sudoedit -s” which takes us to the vulnerable code. This will trigger overflow in the heap-based buffer “user_args” through a command-line argument that ends with a single backslash character.

For example:

sudoedit -s '\' `perl -e 'print "A" x 65536'`

If the result is a Segmentation fault, then vulnerability in sudo. We were able to reproduce the above scenario in our environment on Ubuntu 16.04 with Sudo version 1.8.16.


Impact of vulnerability in sudo

A low-level local user who successfully exploited this vulnerability can gain root privileges, which can lead to a complete compromise of the affected system.


Affected Versions

Affects Sudo versions 1.8.2 through 1.8.31p2 and 1.9.0 through 1.9.5p1.


Solution

The vendor patches the bug in the Sudo version 1.9.5p2. Multiple Linux vendors, including Fedora, Centos, Ubuntu, RedHat, Oracle Linux, Debian, and Amazon, have released security advisories and patches to resolve this issue.


SanerNow publishes security content to detect and mitigate this vulnerability.
We strongly recommend applying the security update with the instructions provided in our support article.