[ad_1]
Despite the fact that tens of thousands of contributors actively dig into Linux kernel source code and various Unix utilities for security holes, it is not uncommon for serious bugs to go unnoticed. Just a day ago, the folks at Qualys revealed a new heap-based buffer overflow attack vector that targets the “Sudo” program for root access. The bug this time seems to be pretty serious, and the bug has been around in the codebase for almost 10 years! Although the privilege escalation vulnerability has already been fixed, it could potentially be exploited on almost all linux distributions and several Unix-like operating systems.
Enter Baron Samedit
Formally cataloged as CVE-2021-3156, the vulnerability has been named Baron samedit. The nickname seems to be a play on Baron Samedi and the sudoedit utility since the latter is used in one of the exploitation paths. By exploiting this vulnerability, any local unprivileged user can have unlimited root privileges on the vulnerable host. In more technical terms, the bug is controlling the size of the “user_args” buffer (which is intended for matching and logging sudoers) in order to perform buffer overflow and not properly escape backslashes in the arguments to get root privileges.
Why Baron Samedit is a critical vulnerability
The exploitable code dates back to July 2011, which affects all legacy versions of Sudo from 1.8.2 to 1.8.31p2 and all stable versions from 1.9.0 to 1.9.5p1 in their default configuration. It is said that the security vulnerability is fairly simple to exploit: the local user does not need to be a privileged user or be part of the sudoers list. As a result, any device running even a fairly modern Linux distribution can potentially fall victim to this bug. In fact, Qualys researchers were able to gain full root privileges on Ubuntu 20.04 (Sudo 1.8.31), Debian 10 (Sudo 1.8.27), and Fedora 33 (Sudo 1.9.2).
At XDA, we generally like the ability for regular users to gain root access, but we don’t celebrate the existence of root exploits like this, especially the one that is so widespread and potentially incredibly dangerous for them. end users. The vulnerability was corrected in sudo version 1.9.5p2 released yesterday, at the same time Qualys made its findings public. Our readers are urged to immediately upgrade to sudo 1.9.5p2 or later as soon as possible.
Source: xkcd
How to check if you are affected by Baron Sam
If you want to test whether your Linux environment is vulnerable or not, log into the system as a non-root user and then run the following command:
sudoedit -s /A vulnerable system should respond with an error starting with sudoedit:. However, if the system is already patched, it will display an error starting with usage:.
Source: Qualys Blog
Via: Bleeping Computer
[ad_2]
Source link