Sudo stack based buffer overflow vulnerability pwfeedback
Description of the vulnerability:
A stack-based buffer overflow vulnerability was discovered in sudo, a program designed to provide limited super user privileges to specific users, triggerable when configured with the “pwfeedback” option enabled. An unprivileged user can take advantage of this flaw to obtain full root privileges. If enabled, users can trigger a stack-based buffer overflow in the privileged sudo process.
The buffer overflow may allow an attacker to expose or corrupt memory information, crash the Sudo application, or possibly inject code to be run as a root user.
Affected versions of Sudo packages:
Sudo versions 1.7.1 to 1.8.30 inclusive are affected but only if the “pwfeedback” option is enabled in sudoers. It was originally thought to not be exploitable in sudo versions 1.8.26 through 1.8.30 but that has been shown to not be the case.
Though sudo is used on all flavours, In our case, we will consider REDHAT.
As per CVE-2019-18634 https://access.redhat.com/security/cve/cve-2019-18634 below are the affected platform versions:
|Red Hat Enterprise Linux 6||sudo|
|Red Hat Enterprise Linux 7||sudo|
|Red Hat Enterprise Linux 8||sudo|
Let’s proceed to test this vulnerability and then remediate the same.
TEST Results – before remediation
On our redhat system, we will first have two checks, one to find the installed sudo pkg version and the other if “pwfeedback” has been set in our sudoers. Run the below command to check for the same
# rpm -q sudo
Here we go, the sudo version we are running is categorized as vulnerable. The vulnerability can only be confirmed by the next check for option “pwfeedback”.
# sudo -l
From the above command output, its confirmed that option “pwfeedback” is enabled in our server and it is Vulnerable.
Let’s test the vulnerability, Run the below command which would yield “segmentation fault”
# perl -e 'print(("A" x 100 . chr(0)) x 50)' | sudo -S -k id
As per the sudoers advisory https://www.sudo.ws/alerts/pwfeedback.html , There are two flaws that contribute to this vulnerability:
- The pwfeedback option is not ignored, as it should be, when reading from something other than the user’s terminal, /dev/tty. The use of the -S option should effectively disable pwfeedback.
- The code that erases the line of asterisks does not properly reset the buffer position if there is a write error, but it does reset the remaining buffer length. As a result, the getln() function can write past the end of the buffer, leading to an overflow.
If the user can cause sudo to receive a write error when it attempts to erase the line of asterisks, the bug can be triggered. Because the remaining buffer length is not reset correctly on write error when the line is erased, a buffer on the stack can be overflowed.
Option 1 : WORKAROUND
- Disable the “pwfeedback” in your sudoers config by editing the sudoers file /etc/sudoers or using visudo. This is sufficient to prevent exploitation of the bug.
For example, change the entry for option as below:
Post config change, the config looks as below:
Option 2: FIX
- As per below Redhat Errata for RHEL7, an update to sudo package is available and is fixed by updating sudo package to sudo-1.8.23-4.el7_7.2 version.
Note: Based on your Redhat OS flavour, check below errata and update to relevant sudo package.
|Red Hat Enterprise Linux 6||sudo||Fixed||RHSA-2020:0726||6-Mar-20|
|Red Hat Enterprise Linux 7||sudo||Fixed||RHSA-2020:0540||19-Feb-20|
|Red Hat Enterprise Linux 8||sudo||Fixed||RHSA-2020:0487||14-Feb-20|
# yum update sudo
Post Remediation Test results
Check by running the same commands that we had run in our pre test. You can see though we have the “pwfeedback” enabled in sudoers config, we don’t get the “segmentation fault” error.