In utility , used to organize the execution of commands on behalf of other users, vulnerability (), which allows you to increase your privileges in the system to the root user. The problem only appears since the release of sudo 1.7.1 when using the “pwfeedback” option in the /etc/sudoers file, which is disabled by default but enabled on some distributions such as Linux Mint and Elementary OS. Issue fixed in release , published a few hours ago. The vulnerability remains unfixed in distribution kits.
The “pwfeedback” option enables the display of the “*” character after each entered character when entering a password. Because of In the implementation of the getln() function, defined in the tgetpass.c file, a too large password string passed via the standard input stream (stdin) under certain conditions may not fit into the allocated buffer and overwrite other data on the stack. The overflow occurs when running sudo code as root.
The essence of the problem is that when using the special character ^U (line clearing) during input and if the write operation fails, the code responsible for clearing the output “*” characters resets the data on the available buffer size, but does not return the pointer to the initial value current position in the buffer. Another factor contributing to the exploitation is the lack of automatic disabling of the “pwfeedback” mode when data arrives not from the terminal, but through the input stream (this flaw allows creating conditions for a recording error to occur, for example, on systems with unidirectional an error occurs when trying to write to the end of a read channel).
Since an attacker has complete control over data overwriting on the stack, it is not difficult to create an exploit that allows him to escalate his privileges to root. The problem can be exploited by any user, regardless of sudo permissions or user-specific settings in sudoers. To block the problem, you should make sure that there is no “pwfeedback” setting in /etc/sudoers and, if necessary, disable it (“Defaults !pwfeedback”). To check if there is a problem, you can run the code:
$ perl -e 'print(("A" x 100 . "\x{00}") x 50)' | sudo -S id
Password: Segmentation fault
Source: opennet.ru