A newly-discovered vulnerability allows for privilege escalation on the linux command line. BLUF: The exploit hasn't been released (yet) but the patch is out. So patch now (sudo 1.9.5p2).

What happened?

Hiding in the source code for sudo all these years is an unchecked exception whereby an attacker—with access to the host as a user—can use a specially crafted sudo command to spawn a command prompt with elevated (root) permissions. The vulnerability has been assigned CVE 2021-3156 and the patch is available but the exploit code hasn't been released by the researches.

In brief, sudo is used to run commands with privileged access, it can also be used to spawn an interactive privileged shell in the current terminal (a shell within your shell if you want to think about it in Inception terms). By manipulating arguments, and the logical flow of sudo while it's keeping track of state (which flags are set, etc.), it is possible to create a heap overflow condition; which, when successfully exploited, returns a privileged shell to the user.

The Technical Details

From https://www.sudo.ws/alerts/unescape_overflow.html:

When sudo runs a command in shell mode, either via the -s or -i command line option, it escapes special characters in the command's arguments with a backslash. The sudoers policy plugin will then remove the escape characters from the arguments before evaluating the sudoers policy (which doesn't expect the escape characters) if the command is being run in shell mode.

A bug in the code that removes the escape characters will read beyond the last character of a string if it ends with an unescaped backslash character. Under normal circumstances, this bug would be harmless since sudo has escaped all the backslashes in the command's arguments. However, due to a different bug, this time in the command line parsing code, it is possible to run sudoedit with either the -s or -i options, setting a flag that indicates shell mode is enabled. Because a command is not actually being run, sudo does not escape special characters. Finally, the code that decides whether to remove the escape characters did not check whether a command is actually being run, just that the shell flag is set. This inconsistency is what makes the bug exploitable.
Qualys researchers have also published a full (very technical) writeup about the perfect storm of conditions that are needed to successful exploit this bug. You can read that information here.

What do you do about it?

The bug has been confirmed as exploitable on Ubuntu, Fedora, and a few other Linux operating systems, but it's prudent to say this vulnerability is likely widely applicable so regardless of your OS, if you have sudo installed, and you are running a version older than 1.9.5p1, you should patch. Your OS package manager should have the latest version and updating through the PM can be an easy fix.

Alternatively, you can download the latest source code here: https://www.sudo.ws/download.html#source


About the Author

Matt Barnett, CISSP, GFCA
Chief Strategist & Cofounder

After years in IT, performing network and system administration, software development, and architecting cloud migrations, Matt began to focus his efforts in cybersecurity. Matt draws on his technical competency and law enforcement background to assist clients, in both proactive and incident response capacities. In addition, Matt has developed an arsenal of applications, strategies, policies, and procedures to assist clients in achieving better cybersecurity.