#13082 closed enhancement (fixed)
sudo-1.8.31 (CVE-2019-18634)
| Reported by: | Douglas R. Reno | Owned by: | Bruce Dubbs |
|---|---|---|---|
| Priority: | high | Milestone: | 9.1 |
| Component: | BOOK | Version: | SVN |
| Severity: | normal | Keywords: | |
| Cc: |
Description ¶
New point version
Change History (7)
comment:1 by , 5 years ago
| Priority: | normal → high |
|---|---|
| Summary: | sudo-1.8.31 → sudo-1.8.31 (CVE-2019-18634) |
comment:2 by , 5 years ago
| Owner: | changed from to |
|---|---|
| Status: | new → assigned |
comment:4 by , 5 years ago
Here's some additional information on CVE-2019-18634 (from oss-security):
[CVE-2019-18634 was made public unexpectedly early yesterday which
is why there was no advance notice for the distros list.]
Summary:
Sudo's "pwfeedback" option can be used to provide visual feedback
when the user is inputting their password. For each key press, an
asterisk is printed. This option was added in response to user
confusion over how the standard "Password:" prompt disables the
echoing of key presses. While "pwfeedback" is not enabled by default
in the upstream version of sudo, some systems, such as Linux Mint
and Elementary OS, do enable it in their default sudoers files.
Due to a bug, when the "pwfeedback" option is enabled in the sudoers
file, a user may be able to trigger a stack-based buffer overflow.
This bug can be triggered even by users not listed in the sudoers
file. There is _no_ impact unless "pwfeedback" has been enabled.
Sudo versions affected:
Sudo versions 1.7.1 to 1.8.30 inclusive are affected but only if
the "pwfeedback" option is enabled in sudoers.
A user with sudo privileges can check whether "pwfeedback" is enabled
by running:
$ sudo -l
If "pwfeedback" is listed in the "Matching Defaults entries" output,
the sudoers configuration is affected. In the following example,
the sudoers configuration is vulnerable:
$ sudo -l
Matching Defaults entries for millert on linux-build:
insults, pwfeedback, mail_badpass, mailerpath=/usr/sbin/sendmail
User millert may run the following commands on linux-build:
(ALL : ALL) ALL
CVE ID:
This vulnerability has been assigned CVE-2019-18634 in the Common
Vulnerabilities and Exposures database.
Details:
Exploiting the bug does not require sudo permissions, merely that
pwfeedback be enabled. The bug can be reproduced by passing a large
input to sudo via a pipe when it prompts for a password. For
example:
$ perl -e 'print(("A" x 100 . "\x{00}") x 50)' | sudo -S id
Password: Segmentation fault
There are two flaws that contribute to this vulnerability:
1. The "pwfeedback" option is not ignored, as it should be,
when reading from something other than a terminal device.
Due to the lack of a terminal, the saved version of the
line erase character remains at its initialized value of 0.
2. The code that erases the line of asterisks does not
properly reset the buffer position if there is a write
error, but it does reset the remaining buffer length.
As a result, the getln() function can write past the
end of the buffer.
On systems with unidirectional pipes, an attempt to write to the
read end of the pipe will result in a write error. Because the
remaining buffer length is not reset correctly on write error when
the line is erased, a buffer on the stack can be overflowed.
Impact:
There is no impact unless "pwfeedback" has been enabled in the
sudoers file.
If "pwfeedback" is enabled in sudoers, the stack overflow may allow
unprivileged users to escalate to the root account. Because the
attacker has complete control of the data used to overflow the
buffer, there is a high likelihood of exploitability.
Workaround:
If the sudoers file has "pwfeedback" enabled, disabling it by
pre-pending an exclamation point is sufficient to prevent exploitation
of the bug. For example, change:
Defaults pwfeedback
To:
Defaults !pwfeedback
After disabling "pwfeedback" in sudoers using the visudo command,
the example "sudo -l" output becomes:
$ sudo -l
Matching Defaults entries for millert on linux-build:
insults, mail_badpass, mailerpath=/usr/sbin/sendmail
User millert may run the following commands on linux-build:
(ALL : ALL) ALL
Fix:
The bug is fixed in sudo 1.8.31.
The following commit fixes CVE-2019-18634:
https://github.com/sudo-project/sudo/commit/fa8ffeb17523494f0e8bb49a25e53635f4509078
Credit:
Joe Vennix from Apple Information Security found and analyzed the bug.
follow-up: 6 comment:5 by , 5 years ago
Latest information is that 1.8.6 and later were not affected:
It turns out a change in EOF handling introduced in sudo 1.8.26 prevents exploitation of the bug. The EOF character is also initialized to 0 and sudo 1.8.26 checks for EOF before it checks for the kill character. This means that the bug actually affects sudo versions 1.7.1 to 1.8.25p1 inclusive.
follow-up: 7 comment:6 by , 5 years ago
Replying to ken@…:
Latest information is that 1.8.6 and later were not affected:
s/1.8.6/1.8.26/ I can't type.
comment:7 by , 5 years ago
Replying to ken@…:
Replying to ken@…:
Latest information is that 1.8.6 and later were not affected:
s/1.8.6/1.8.26/ I can't type.
Did you see this on oss-security yet this morning?
When using a pty, sudo_term_eof and sudo_term_kill are initialized to 0x4 and 0x15 allowing the overflow to be reached, making 1.8.26-1.8.30 also vulnerable: $ socat pty,link=/tmp/pty,waitslave exec:"python -c 'print((\"A\"*100+chr(0x15))*50)'" & $ sudo -S id < /tmp/pty [sudo] password for user1: Segmentation fault $ sudo -V Sudo version 1.8.30 Sudoers policy plugin version 1.8.30 Sudoers file grammar version 46 Sudoers I/O plugin version 1.8.30 - Will
Note:
See TracTickets
for help on using tickets.
