There is a stack buffer overflow in several versions of the sudo utility that could let an unprivileged user gain root privileges on a vulnerable system.
The vulnerability is in versions 1.7.1 to 1.8.25p1 of sudo, the powerful utility that is ubiquitous on Linux and Unix-based systems. Sudo allows an administrator to give individual users or small groups the power to run commands as root. The utility logs those commands and the associated arguments and it runs per command.
In the vulnerable versions, an attacker could take advantage of a pair of separate flaws in order to gain root privileges. The vulnerability lies in the way that the “pwfeedback” option handles some input. That option is used to show an asterisk in the password field whenever a user presses a key.
“This option was added in response to user confusion over how the standard Password: prompt disables the echoing of key presses. While pwfeedback is not enabled by default in the upstream version of sudo, some systems, such as Linux Mint and Elementary OS, do enable it in their default sudoers files,” the sudo advisory says.
“Due to a bug, when the pwfeedback option is enabled in the sudoers file, a user may be able to trigger a stack-based buffer overflow. This bug can be triggered even by users not listed in the sudoers file. There is no impact unless pwfeedback has been enabled.”
The risk of exploitation is quite high for systems on which the pwfeedback option is enabled. In order to exploit the bug, an attacker would just need to send a large amount of data to sudo through the password prompt field. The vulnerability results from two separate errors in the sudo code.
“The pwfeedback option is not ignored, as it should be, when reading from something other than a terminal device. Due to the lack of a terminal, the saved version of the line erase character remains at its initialized value of 0,” the advisory says.
“The code that erases the line of asterisks does not properly reset the buffer position if there is a write error, but it does reset the remaining buffer length. As a result, the getln() function can write past the end of the buffer.”
Sudo is used in a wide range of Linux and Unix-based systems, including Apple macOS, and an Apple engineer actually discovered the vulnerability and reported it to the sudo maintainers. Apple fixed the vulnerability in the latest releases of macOS last week, and some of the other major Linux distributions have released updates, as well, including Debian and Slackware.
“If pwfeedback is enabled in sudoers, the stack overflow may allow unprivileged users to escalate to the root account. Because the attacker has complete control of the data used to overflow the buffer, there is a high likelihood of exploitability,” the sudo advisory says.
If updating immediately is not practical, administrators can prevent exploitation of the vulnerability by disabling the pwfeedback option.