Opened 18 months ago

Closed 18 months ago

Last modified 18 months ago

#13082 closed enhancement (fixed)

sudo-1.8.31 (CVE-2019-18634)

Reported by: Douglas R. Reno Owned by: Bruce Dubbs
Priority: high Milestone: 9.1
Component: BOOK Version: SVN
Severity: normal Keywords:
Cc:

Description

New point version

Change History (7)

comment:1 by Xi Ruoyao, 18 months ago

Priority: normalhigh
Summary: sudo-1.8.31sudo-1.8.31 (CVE-2019-18634)
What's new in Sudo 1.8.31

 * Fixed CVE-2019-18634, a buffer overflow when the "pwfeedback"
   sudoers option is enabled on systems with uni-directional pipes.

 * The "sudoedit_checkdir" option now treats a user-owned directory
   as writable, even if it does not have the write bit set at the
   time of check.  Symbolic links will no longer be followed by
   sudoedit in any user-owned directory.  Bug #912

 * Fixed sudoedit on macOS 10.15 and above where the root file system
   is mounted read-only.  Bug #913.

 * Fixed a crash introduced in sudo 1.8.30 when suspending sudo
   at the password prompt.  Bug #914.

 * Fixed compilation on systems where the mmap MAP_ANON flag
   is not available.  Bug #915.

comment:2 by Bruce Dubbs, 18 months ago

Owner: changed from blfs-book to Bruce Dubbs
Status: newassigned

comment:3 by Bruce Dubbs, 18 months ago

Resolution: fixed
Status: assignedclosed

Fixed at revision 22617.

comment:4 by Douglas R. Reno, 18 months ago

Here's some additional information on CVE-2019-18634 (from oss-security):

[CVE-2019-18634 was made public unexpectedly early yesterday which
 is why there was no advance notice for the distros list.]

Summary:

Sudo's "pwfeedback" option can be used to provide visual feedback
when the user is inputting their password.  For each key press, an
asterisk is printed.  This option was added in response to user
confusion over how the standard "Password:" prompt disables the
echoing of key presses.  While "pwfeedback" is not enabled by default
in the upstream version of sudo, some systems, such as Linux Mint
and Elementary OS, do enable it in their default sudoers files.

Due to a bug, when the "pwfeedback" option is enabled in the sudoers
file, a user may be able to trigger a stack-based buffer overflow.
This bug can be triggered even by users not listed in the sudoers
file.  There is _no_ impact unless "pwfeedback" has been enabled.

Sudo versions affected:

Sudo versions 1.7.1 to 1.8.30 inclusive are affected but only if
the "pwfeedback" option is enabled in sudoers.

A user with sudo privileges can check whether "pwfeedback" is enabled
by running:

    $ sudo -l

If "pwfeedback" is listed in the "Matching Defaults entries" output,
the sudoers configuration is affected.  In the following example,
the sudoers configuration is vulnerable:

    $ sudo -l
    Matching Defaults entries for millert on linux-build:
	insults, pwfeedback, mail_badpass, mailerpath=/usr/sbin/sendmail

    User millert may run the following commands on linux-build:
	(ALL : ALL) ALL

CVE ID:

This vulnerability has been assigned CVE-2019-18634 in the Common
Vulnerabilities and Exposures database.

Details:

Exploiting the bug does not require sudo permissions, merely that
pwfeedback be enabled.  The bug can be reproduced by passing a large
input to sudo via a pipe when it prompts for a password.  For
example:

    $ perl -e 'print(("A" x 100 . "\x{00}") x 50)' | sudo -S id
    Password: Segmentation fault

There are two flaws that contribute to this vulnerability:

    1.	The "pwfeedback" option is not ignored, as it should be,
	when reading from something other than a terminal device.
        Due to the lack of a terminal, the saved version of the
        line erase character remains at its initialized value of 0.

    2.	The code that erases the line of asterisks does not
        properly reset the buffer position if there is a write
        error, but it does reset the remaining buffer length.
	As a result, the getln() function can write past the
	end of the buffer.

On systems with unidirectional pipes, an attempt to write to the
read end of the pipe will result in a write error.  Because the
remaining buffer length is not reset correctly on write error when
the line is erased, a buffer on the stack can be overflowed.

Impact:

There is no impact unless "pwfeedback" has been enabled in the
sudoers file.

If "pwfeedback" is enabled in sudoers, the stack overflow may allow
unprivileged users to escalate to the root account.  Because the
attacker has complete control of the data used to overflow the
buffer, there is a high likelihood of exploitability.

Workaround:

If the sudoers file has "pwfeedback" enabled, disabling it by
pre-pending an exclamation point is sufficient to prevent exploitation
of the bug.  For example, change:

    Defaults pwfeedback

To:

    Defaults !pwfeedback

After disabling "pwfeedback" in sudoers using the visudo command,
the example "sudo -l" output becomes:

    $ sudo -l
    Matching Defaults entries for millert on linux-build:
	insults, mail_badpass, mailerpath=/usr/sbin/sendmail

    User millert may run the following commands on linux-build:
	(ALL : ALL) ALL

Fix:

The bug is fixed in sudo 1.8.31.

The following commit fixes CVE-2019-18634:
https://github.com/sudo-project/sudo/commit/fa8ffeb17523494f0e8bb49a25e53635f4509078

Credit:

Joe Vennix from Apple Information Security found and analyzed the bug.

comment:5 by ken@…, 18 months ago

Latest information is that 1.8.6 and later were not affected:

It turns out a change in EOF handling introduced in sudo 1.8.26
prevents exploitation of the bug.  The EOF character is also
initialized to 0 and sudo 1.8.26 checks for EOF before it checks
for the kill character.

This means that the bug actually affects sudo versions 1.7.1 to
1.8.25p1 inclusive.

in reply to:  5 ; comment:6 by ken@…, 18 months ago

Replying to ken@…:

Latest information is that 1.8.6 and later were not affected:

s/1.8.6/1.8.26/ I can't type.

in reply to:  6 comment:7 by Douglas R. Reno, 18 months ago

Replying to ken@…:

Replying to ken@…:

Latest information is that 1.8.6 and later were not affected:

s/1.8.6/1.8.26/ I can't type.

Did you see this on oss-security yet this morning?

When using a pty, sudo_term_eof and sudo_term_kill are initialized to 0x4
and 0x15 allowing the overflow to be reached, making 1.8.26-1.8.30 also
vulnerable:

$ socat pty,link=/tmp/pty,waitslave exec:"python -c
'print((\"A\"*100+chr(0x15))*50)'" &
$ sudo -S id < /tmp/pty
[sudo] password for user1: Segmentation fault
$ sudo -V
Sudo version 1.8.30
Sudoers policy plugin version 1.8.30
Sudoers file grammar version 46
Sudoers I/O plugin version 1.8.30

- Will
Note: See TracTickets for help on using tickets.