AL2021_01 Heap Buffer Overflow Vulnerability in Sudo (27th January, 2021)

A heap buffer overflow vulnerability in sudo that can be used to elevate privileges to root on the host system has been discovered by researchers.

Sudo is a command-line utility widely used on Linux and Unix Operating Systems designed to give trusted users administrative privileges when needed. This vulnerability has been given the name Baron Samedit and affects sudo versions 1.8.2 to 1.8.31p2 and 1.9.0 to 1.9.5p1.

How it Works

When sudo runs a command in shell mode, either through the -s option, which sets sudo’s MODE_SHELL flag or -I option, which sets sudo’s MODE_SHELL and MODE_LOGIN_SHELL flags, it escapes all special characters within the command's arguments with a backslash. The sudoers policy plugin will then remove the escape characters from the arguments before evaluating the sudoers policy if the command is being run in shell mode.

A bug within the code that removes the escape characters will read beyond the last character of a string if it ends with an unescaped backslash character. Under usual circumstances, this bug would be harmless since sudo has escaped all the backslashes within the command's arguments. However, because of a different bug, this time within the command line parsing code, it’s possible to run sudoedit with either the -s or -i options, setting a flag that indicates shell mode is enabled. Because a command isn’t actually being run, sudo does not escape special characters. Finally, the code that decides whether to get rid of the escape characters does not check whether a command is actually being run, it just checks that the shell flag is set.

Solution

It is recommended that users install sudo version 1.9.5p2 or a patched vendor supported version to fix this vulnerability. 

The Guyana National CIRT recommends that users and administrators review this alert and apply it where necessary.

References

Jain, A. (2020, January 25). CVE-2021-3156: Heap-Based Buffer Overflow in Sudo (Baron Samedit). Retrieved from Qualys: https://blog.qualys.com/vulnerabilities-research/2021/01/26/cve-2021-3156-heap-based-buffer-overflow-in-sudo-baron-samedit

Claburn, T. (2021, January 26). Decade-old bug in Linux world's sudo can be abused by any logged-in user to gain root privileges. Retrieved from The Register: https://www.theregister.com/2021/01/26/qualys_sudo_bug/#:~:text=Security%20researchers%20from%20Qualys%20have,other%20Unix%2Dflavored%20operating%20systems.