Having root access to a system is one of the goals that hackers seek. This is how they could gain full control. In this article we echo a vulnerability that affects Sudo and that would allow any user to obtain administrator privileges . A failure that can certainly compromise a system if it ends up in the wrong hands. We are going to explain what it consists of.
An error in Sudo allows a user to have access as administrator
When we talk about Sudo we refer to a Unix program, from Linux, that allows a privileged system administrator to carry out certain changes and actions that are limited for normal users.
This bug that affects Sudo allows any normal user, without administrator permissions, to obtain root permissions and carry out any changes or actions they want. All this without requiring any type of authentication.
Root is the super user of the system . A special account used to manage important changes, install applications that may cause some kind of problem on the computer, etc. It is basically necessary for all those relevant changes that can take place on a Linux machine.
A normal user, without privileges, can use the Sudo command to act as root. For this you must have permissions or know the administrator password. This vulnerability, registered as CVE-2021-3156 , represents a privilege escalation. It was discovered on January 13 by a group of Qualys security researchers and they have waited for patches to be available to make it public.
Therefore we can say that this bug has already been corrected. It is very important that users have the latest updates to correct it.
Qualys researchers indicate that the problem is due to a buffer overflow exploitable by any local user (normal users and system users, listed in the sudoers file or not), and attackers are not required to know the user’s password to successfully exploit this vulnerability.
The buffer overflow that allows any local user to gain root privileges is triggered when Sudo incorrectly removes backslashes in arguments.
Three exploits
Qualys created three exploits for CVE-2021-3156 to show how potential attackers can successfully abuse this vulnerability. Using these exploits, the researchers were able to gain full administrator privileges on multiple Linux distributions, including Debian 10 (Sudo 1.8.27), Ubuntu 20.04 (Sudo 1.8.31), and Fedora 33 (Sudo 1.9.2). They are some of the most popular distributions.
From Qualys they assure that other distributions and operating systems compatible with Sudo could probably also be exploited using exploits of CVE-2021-3156.
Sudo contributors have fixed the vulnerability in the version of sudo 1.9.5p2 that has already been released, at the same time that Qualys publicly disclosed their findings. Therefore, all users should have this updated version and be properly protected.
To test if the system is vulnerable, we can log in as a non-root user and run the command “sudoedit -s /”. Vulnerable systems will send an error starting with “sudoedit:” while patched ones will show an error starting with “usage:”.