Hi, I recently read an article about a new bug in the program sudo and just want to show how it works exactly.
This vulnerability is a quite old vulnerability which interprets -1 and 0xffffffff as 0. The problem was already fixed with version 1.8.28, but not everyone made the update. In a VM with Debian 9, I still have sudo with version 1.8.21p2 installed, so should be affected by this as well.
Okay, let's go. What exactly does this loophole do? Well, in short, it allows commands to be executed as root user even though you don't have root privileges. Sudo allows to execute commands as another user. If you look at the file /etc/sudoers you can see how the configuration of the users looks like. Here you can enter users who can execute e.g. only one command as root or as another user.
In the upper line you can see the user root which can execute everywhere and all commands with root rights. Such an entry is always structured like this:
<Who> <Host>=(<User>:<Group>) <Command/s>
You can see quite quickly how simple such a line is constructed. For the user temp, I have also made an entry. For the user temp you can see that he is only allowed to execute the command id. Another addition I made is that this command must not be executed under the group root. And this is the point where the bug occurs. Let's just run the command sudo id
and see what happens.
Ok, so we are not allowed to do that. But if you give -1 as UserID it is nothing else than 0xffffffff or simply 4294967295. If you try this with an unpatched sudo, the root user should appear in the output.
You can see that the UserID of the root users is output here in the "uid" field and thus they are root users. Why does this happen exactly? Well, in the program it was obviously not checked whether the given UserID exists at all and with these two numbers sudo evaluates it as 0. It would be more funny if the user temp could execute another command instead of id or just all possible commands. For this, only the command would have to be changed in the file /etc/sudoers, from id to ALL.
Joa, now it could be really funny, because if now the user enters another command as id e.g. bash or sh, then he gets a RootShell.
You can see here, the user temp is now as root user, on the system and can do everything he wants and when he wants.
But that's the good news about this, you rarely find this configuration. But would be an interesting thing at CTFs.
I hope I could bring you the gap a little closer and show what it's all about 😄