Heap-based Buffer Overflow in Sudo
Animesh Jain (via David Smith, Hacker News):
Successful exploitation of this vulnerability allows any unprivileged user to gain root privileges on the vulnerable host.
[…]
In other words,
set_cmnd()is vulnerable to a heap-based buffer overflow, because the out-of-bounds characters that are copied to the “user_args” buffer were not included in its size (calculated at lines 852-853).In theory, however, no command-line argument can end with a single backslash character: if
MODE_SHELLorMODE_LOGIN_SHELLis set (line 858, a necessary condition for reaching the vulnerable code), thenMODE_SHELLis set (line 571) andparse_args()already escaped all meta-characters, including backslashes (i.e., it escaped every single backslash with a second backslash).In practice, however, the vulnerable code in
set_cmnd()and the escape code inparse_args()are surrounded by slightly different conditions[…]
All you need to know about sudo and frankly most other pieces of the Linux userspace is that it is undertested. The commit that added this flaw to sudo claims to fix a parser bug but includes no tests. There is no reason for the author, the reviewer (if there even was such a person), or anyone else to believe that the bug existed or was fixed by this change. The pull request that supposedly fixes this CVE also includes no tests. There is no reason anyone should believe this fix is effective or complete, or that it does not introduce new defects.
Update (2021-02-05): Patrick Wardle:
macOS (including 11.2) appears to be vulnerable to the sudo heap-overflow bug (CVE-2021-3156) 🍎🐛 🤨
With some minor modifications, Hickey found that the sudo bug could be used to grant attackers access to macOS root accounts, and the discovery has now been verified by Carnegie Mellon University vulnerability analyst Will Dormann.
Holy moly!