Wednesday, January 27, 2021 [Tweets] [Favorites]

Heap-based Buffer Overflow in Sudo

Animesh Jain (via David Smith, Hacker News):

Successful exploitation of this vulnerability allows any unprivileged user to gain root privileges on the vulnerable host.

[…]

In other words, set_cmnd() is vulnerable to a heap-based buffer overflow, because the out-of-bounds characters that are copied to the “user_args” buffer were not included in its size (calculated at lines 852-853).

In theory, however, no command-line argument can end with a single backslash character: if MODE_SHELL or MODE_LOGIN_SHELL is set (line 858, a necessary condition for reaching the vulnerable code), then MODE_SHELL is set (line 571) and parse_args() already escaped all meta-characters, including backslashes (i.e., it escaped every single backslash with a second backslash).

In practice, however, the vulnerable code in set_cmnd() and the escape code in parse_args() are surrounded by slightly different conditions[…]

jeffbee:

All you need to know about sudo and frankly most other pieces of the Linux userspace is that it is undertested. The commit that added this flaw to sudo claims to fix a parser bug but includes no tests. There is no reason for the author, the reviewer (if there even was such a person), or anyone else to believe that the bug existed or was fixed by this change. The pull request that supposedly fixes this CVE also includes no tests. There is no reason anyone should believe this fix is effective or complete, or that it does not introduce new defects.

Update (2021-02-05): Patrick Wardle:

macOS (including 11.2) appears to be vulnerable to the sudo heap-overflow bug (CVE-2021-3156) 🍎🐛 🤨

Hartley Charlton:

With some minor modifications, Hickey found that the sudo bug could be used to grant attackers access to macOS root accounts, and the discovery has now been verified by Carnegie Mellon University vulnerability analyst Will Dormann.

1 Comment

Old Unix Geek

Holy moly!

Stay up-to-date by subscribing to the Comments RSS Feed for this post.

Leave a Comment