In utility
The “pwfeedback” option enables the display of the “*” character after each entered character when entering a password. Because of
The essence of the problem is that when using the special character ^U (line clearing) during input and if the write operation fails, the code responsible for clearing the output “*” characters resets the data on the available buffer size, but does not return the pointer to the initial value current position in the buffer. Another factor contributing to the exploitation is the lack of automatic disabling of the “pwfeedback” mode when data arrives not from the terminal, but through the input stream (this flaw allows creating conditions for a recording error to occur, for example, on systems with unidirectional
Since an attacker has complete control over data overwriting on the stack, it is not difficult to create an exploit that allows him to escalate his privileges to root. The problem can be exploited by any user, regardless of sudo permissions or user-specific settings in sudoers. To block the problem, you should make sure that there is no “pwfeedback” setting in /etc/sudoers and, if necessary, disable it (“Defaults !pwfeedback”). To check if there is a problem, you can run the code:
$ perl -e 'print(("A" x 100 . "\x{00}") x 50)' | sudo -S id
Password: Segmentation fault
Source: opennet.ru