Despite the fact that tens of thousands of contributors are actively studying the Linux kernel source code and various Unix utilities for security holes, it is not unheard of that serious bugs go unnoticed. Just a day ago, Qualys folks unveiled a new heap-based buffer overflow attack vector that targets the “Sudo” program to gain root access. The bug this time seems to be quite serious, and the bug has existed within the code base for almost 10 years! Although the privilege escalation vulnerability has already been fixed, it can potentially be exploited in almost all Linux distributions and several Unix-like operating systems.
Type Baron Samedit
Formally classified as CVE-2021-3156, the vulnerability was named Baron Samedit. The nickname seems to be a joke with Baron Samedi and the sudoedit utility, as the latter is used in one of the exploration paths. When exploiting this vulnerability, any local user without privileges could have unrestricted root privileges on the vulnerable host. In more technical terms, the bug involves controlling the size of the “user_args” buffer (which is intended for matching and logging sudoers) in order to perform the buffer overflow and incorrectly unescape backslashes in the arguments to obtain root privileges.
Why Baron Samedit is a critical vulnerability
The exploitable code can be traced back to July 2011, which affects all legacy versions of Sudo from 1.8.2 to 1.8.31p2 and all stable versions from 1.9.0 to 1.9.5p1 in their default configuration. The security vulnerability is considered to be quite trivial to exploit: the local user does not need to be a privileged user or be on the sudoer list. As a result, any device running, even a very modern Linux distribution, can fall victim to this bug. In fact, Qualys researchers were able to obtain full root privileges on Ubuntu 20.04 (Sudo 1.8.31), Debian 10 (Sudo 1.8.27) and Fedora 33 (Sudo 1.9.2).
We at XDA generally welcome the ability for regular users to gain root access, but we do not celebrate the existence of root exploits like this one, especially one that is so widespread and potentially incredibly dangerous for end users. The vulnerability was fixed in version 1.9.5p2 of sudo released yesterday, at the same time that Qualys made its findings publicly available. Our readers are requested to update immediately to sudo 1.9.5p2 or later as soon as possible.
Source: xkcd
How to check if you are affected by Baron Samedit
If you want to test whether your Linux environment is vulnerable or not, log in to the system as a non-root user and run the following command:
sudoedit -s /A vulnerable system must respond with an error that begins with sudoedit:. However, if the system is already fixed, it will show an error that starts with usage:.
Source: Qualys Blog
Via: Biping Computer