In utility
If there are valid, but extremely rare rules in sudoers that allow the execution of a certain command under the UID of any user other than root, an attacker with the authority to execute this command can bypass the established restriction and execute the command with root rights. To bypass the restriction, it is enough to try to execute the command specified in the settings with UID "-1" or "4294967295", which will lead to its execution with UID 0.
For example, if there is a rule in the settings that gives any user the right to execute the program /usr/bin/id under any UID:
myhost ALL = (ALL, !root) /usr/bin/id
or a variant that allows execution only for a specific user bob:
myhost bob = (ALL, !root) /usr/bin/id
The user can run "sudo -u '#-1' id" and the /usr/bin/id utility will be run as root, despite the explicit prohibition in the settings. The problem is caused by the omission of special values ββ"-1" or "4294967295", which do not lead to a change in UID, but since sudo itself is already running as root, without changing the UID, the target command is also run as root.
In SUSE and openSUSE distributions without the "NOPASSWD" rule, the vulnerability
myhost ALL = (ALL, !root) NOPASSWD: /usr/bin/id
Issue fixed in release
Source: opennet.ru