Researchers have found a buffer overflow vulnerability in the Linux sudo program that means an ordinary user could give themselves root privileges.
The Sudo command lets users act at higher security privilege levels – either as a superuser or some other user profile – so they can perform certain tasks without having full root access.
It’s a common way of managing user access that amateur Linux enthusiasts are familiar with using so they don’t accidentally break something in their system.
The now patched exploit had been sitting in the sudo code since July 2011 until a research team at Qualys discovered the niche vulnerability.
“Qualys security researchers have been able to independently verify the vulnerability and develop multiple variants of exploit and obtain full root privileges on Ubuntu 20.04 (Sudo 1.8.31), Debian 10 (Sudo 1.8.27), and Fedora 33 (Sudo 1.9.2),” vulnerability signatures product manager Animesh Jain said in a blog post.
“Other operating systems and distributions are also likely to be exploitable.
“As soon as the Qualys research team confirmed the vulnerability, Qualys engaged in responsible vulnerability disclosure and coordinated with sudo’s author and open source distributions to announce the vulnerability.”
In a run-down of the exploit, Jain explains that it is triggered by a single backslash character to end a command-line argument.
That backslash sets off the sudo program to eventually copy characters outside the argument’s bounds back into its buffer.
Characters copied in this way can avoid the maximum argument size and execute commands outside the buffer – including root access to the system.
But first they needed to find a way around the sudo program’s defenses since the vulnerable code escapes special characters such a backslash.
Qualys’s team found a workaround that involved executing “sudoedit -s”, changing shell settings and avoiding the code that forces special character escape.
Qualys confirmed the vulnerability worked on current versions of sudo sitting on common Linux distributions like Ubuntu, Debian, and Fedora which have been patched along with enterprise distributions including Amazon Linux, Red Hat, and Oracle Enterprise Linux.