Specialist Apple Vennix Joe (Joe Vennix) found the vulnerability (CVE-2019-14287) in the sudo command in Linux that allows unprivileged users to run commands as root. Fortunately, the problem only occurs when a non-standard configuration settings, and does not affect most Linux servers.
The command sudo (super user do) allows unprivileged users who have been given authorisation, or known the root password, to run on Linux machines the command as root. Sudo can also be configured to run commands on behalf of another user (except root user) by adding special instructions in configuration file /etc/sudoers.
The vulnerability arises as the time when configuration settings sudo allows users to run commands on behalf of other users. Adding to the command line -u#-1, they can bypass the restrictions and execute arbitrary commands with root privileges.
For example, the administrator created on the server mybox sudo user with the name bob, adding in the config file a line bob mybox = (ALL,!root) /usr/bin/vi. The idea is that this will give user bob the ability to run the text editor Vi with the privileges of any user except for superuser. However, if bob runs the command sudo -u#-1 vi you can start Vi with root privileges.
Why is this happening? For example, -u#1234 can be used in the command line with sudo to run the commands, in this case Vi is an identifier (ID) of the user 1234. Sudo passes the ID value via system calls setresuid and setreuid to change the effective user ID of the command.
As a result, -u#-1 passes -1 through calls to change the effective user ID of -1. The system call accepts the ID as special and does not change the user ID. Since sudo already has root access, -1 continues to work as root. Interestingly, user ID 4294967295 was also able to circumvent the restrictions, because, as a signed 32-bit integer variable, it is equal to -1.
To avoid potential attacks using this vulnerability, users are strongly recommended to update sudo to version 1.8.28 or later. In the updated version sudo no longer accepts -1 as the identifier of the user, so the exploitation of the vulnerability is impossible.
Read more •••
Linden retired official retired at the age of 28