Sudo buffer overflow when pwfeedback is set in sudoers

栏目: IT技术 · 发布时间: 4年前

内容简介:Due to a bug, when theA user with sudo privileges can check whetherIf

Release Date:

January 30, 2020 (updated January 31, 2020 to correct affected versions)

Summary:

Sudo's pwfeedback option can be used to provide visual feedback when the user is inputting their password. For each key press, an asterisk is printed. This option was added in response to user confusion over how the standard Password: prompt disables the echoing of key presses. While pwfeedback is not enabled by default in the upstream version of sudo, some systems, such as Linux Mint and Elementary OS, do enable it in their default sudoers files.

Due to a bug, when the pwfeedback option is enabled in the sudoers file, a user may be able to trigger a stack-based buffer overflow. This bug can be triggered even by users not listed in the sudoers file. There is no impact unless pwfeedback has been enabled.

Sudo versions affected:

Sudo versions 1.7.1 to 1.8.25p1 inclusive are affected but only if the pwfeedback option is enabled in sudoers. While the logic bug is also present in sudo versions 1.8.26 through 1.8.30 it is not exploitable due to a change in EOF handling introduced in sudo 1.8.26.

A user with sudo privileges can check whether pwfeedback is enabled by running:

sudo -l
If pwfeedback is listed in the "Matching Defaults entries" output, the sudoers configuration is affected. In the following example, the sudoers configuration is vulnerable:
$ sudo -l
    Matching Defaults entries for millert on linux-build:
	insults, pwfeedback, mail_badpass, mailerpath=/usr/sbin/sendmail

    User millert may run the following commands on linux-build:
	(ALL : ALL) ALL

CVE ID:

This vulnerability has been assigned CVE-2019-18634 in the Common Vulnerabilities and Exposures database.

Details:

Exploiting the bug does not require sudo permissions, merely that pwfeedback be enabled. The bug can be reproduced by passing a large input to sudo via a pipe when it prompts for a password. For example:
$ perl -e 'print(("A" x 100 . "\x{00}") x 50)' | sudo -S id
    Password: Segmentation fault
There are two flaws that contribute to this vulnerability:
  • The pwfeedback option is not ignored, as it should be, when reading from something other than a terminal device. Due to the lack of a terminal, the saved version of the line erase character remains at its initialized value of 0.
  • The code that erases the line of asterisks does not properly reset the buffer position if there is a write error, but it does reset the remaining buffer length. As a result, the getln() function can write past the end of the buffer.
On systems with unidirectional pipes, an attempt to write to the read end of the pipe will result in a write error. Because the remaining buffer length is not reset correctly on write error when the line is erased, a buffer on the stack can be overflowed.

Impact:

There is no impact unless pwfeedback has been enabled in the sudoers file.

If pwfeedback is enabled in sudoers, the stack overflow may allow unprivileged users to escalate to the root account. Because the attacker has complete control of the data used to overflow the buffer, there is a high likelihood of exploitability.

Workaround:

If the sudoers file has pwfeedback enabled, disabling it by pre-pending an exclamation point is sufficient to prevent exploitation of the bug. For example, change:
Defaults pwfeedback
To:
Defaults !pwfeedback
After disabling pwfeedback in sudoers using the visudo command, the example sudo -l output becomes:
$ sudo -l
    Matching Defaults entries for millert on linux-build:
	insults, mail_badpass, mailerpath=/usr/sbin/sendmail

    User millert may run the following commands on linux-build:
	(ALL : ALL) ALL

Fix:

The bug is fixed in sudo 1.8.31.

Credit:

Joe Vennix from Apple Information Security found and analyzed the bug.

以上就是本文的全部内容,希望对大家的学习有所帮助,也希望大家多多支持 码农网

查看所有标签

猜你喜欢:

本站部分资源来源于网络,本站转载出于传递更多信息之目的,版权归原作者或者来源机构所有,如转载稿涉及版权问题,请联系我们

图解CIO工作指南(第4版)

图解CIO工作指南(第4版)

[日] 野村综合研究所系统咨询事业本部 / 周自恒 / 人民邮电出版社 / 2014-3 / 39.00

《图解CIO工作指南(第4版)》是一本实务手册,系统介绍了企业运用IT手段提高竞争力所必需的管理方法和实践经验,主要面向CEO或CIO等企业管理人士。 《图解CIO工作指南(第4版)》分为三个部分。第1部分的主题为IT管理,着重阐述运用IT技术提高企业竞争力所必需的所有管理业务,具体包括制定作为企业方针的IT战略,以及统筹执行该战略时与IT相关的人力、物力、财力、风险等要素在内的一系列管理业......一起来看看 《图解CIO工作指南(第4版)》 这本书的介绍吧!

URL 编码/解码
URL 编码/解码

URL 编码/解码

UNIX 时间戳转换
UNIX 时间戳转换

UNIX 时间戳转换

RGB HSV 转换
RGB HSV 转换

RGB HSV 互转工具