In utility , used to organize the execution of commands on behalf of other users, (), which allows you to achieve the execution of commands with root rights, if there are rules in the sudoers settings, in which in the user ID verification section, after the permissive keyword "ALL", there is an explicit prohibition of running with root rights ("... (ALL, !root) ..." ). The vulnerability does not manifest itself in the default configurations in distributions.
If there are valid, but extremely rare rules in sudoers that allow the execution of a certain command under the UID of any user other than root, an attacker with the authority to execute this command can bypass the established restriction and execute the command with root rights. To bypass the restriction, it is enough to try to execute the command specified in the settings with UID "-1" or "4294967295", which will lead to its execution with UID 0.
For example, if there is a rule in the settings that gives any user the right to execute the program /usr/bin/id under any UID:
myhost ALL = (ALL, !root) /usr/bin/id
or a variant that allows execution only for a specific user bob:
myhost bob = (ALL, !root) /usr/bin/id
The user can run "sudo -u '#-1' id" and the /usr/bin/id utility will be run as root, despite the explicit prohibition in the settings. The problem is caused by the omission of special values ββ"-1" or "4294967295", which do not lead to a change in UID, but since sudo itself is already running as root, without changing the UID, the target command is also run as root.
In SUSE and openSUSE distributions without the "NOPASSWD" rule, the vulnerability , since sudoers has the "Defaults targetpw" mode enabled by default, which checks the UID against the password database and prompts you to enter the target user's password. For such systems, an attack can be made only if there are rules of the form:
myhost ALL = (ALL, !root) NOPASSWD: /usr/bin/id
Issue fixed in release . The fix is ββalso available in the form . In distributions, the vulnerability has already been fixed in , , , , ΠΈ . As of this writing, the issue remains unresolved. ΠΈ . The vulnerability was identified by security researchers from Apple.
Source: opennet.ru