The 'sudo' keyword in Unix and Linux allows users to execute certain commands with special-access privileges that cannot otherwise run on a given machine by a user with a lower level of clearance. Unsurprisingly, it is one of the most important commands in the entire Linux/Unix ecosystem, one that can substantially compromise the device's security if it is exploited.
One such exploit/bug was discovered by Joe Vennix from Apple Information Security. The vulnerability has been titled CVE-2019-14287 in the Common Vulnerabilities and Exposure database. As stated before, 'sudo' lets you run commands that cannot otherwise be run by normal users on the machine. With CVE-2019-14287, you could circumvent this by simply changing the user ID to -1 or 4294967295 with the 'sudo' command. That means that by spoofing their identity, any user could execute restricted commands on the machine.
This was possible because the function which incorrectly interprets the user ID -1, or its unsigned equivalent 4294967295, as 0, which is always the user ID of the root user. To illustrate, both sudo -u#-1 id -u and sudo -u#4294967295 id -u returned 0 because the 'sudo' command itself runs as user ID 0. As a result, no change occurs when sudo tries to change to user ID -1. From here, any commands that are only restricted to be run by root clearance users can be run by any user that executes the commands mentioned above.
The good news, however, is that only sudoers entries with the ALL keyword in the Runas specifier were affected. For instance, entries like myhost bob = (ALL, !root) /usr/bin/vi were affected while others like myhost alice = /usr/bin/id were not.
Furthermore, the bug has been fixed in Sudo version 1.8.28 where the aforementioned function now treats "an ID of -1 as invalid since that means 'no change'." So users should consider checking for available updates on affected machines to patch against the exploit.
15 Comments - Add comment