Despite the fact that tens of thousands of contributors are searching the source code of the Linux kernel and various Unix programs for security flaws, it is unheard of for serious errors to go unnoticed. Just a day ago, the people at Qualys unveiled a new buffer overflow attack vector aimed at the “Sudo” program to gain access to roots. The error seems pretty serious this time around, and the error already exists almost in the code base 10 years! Although the vulnerability of the privilege escalation has already been patched, it could potentially be exploited almost every Linux distribution and various Unix-like operating systems.
Enter Baron Samedit
The vulnerability was formally classified as CVE-2021-3156 Baron Samedit. The moniker turns out to be a play Baron Samedi and the sudoedit utility as the latter is used in one of the usage paths. By exploiting this vulnerability, any privileged local user can have unrestricted root privileges on the vulnerable host. In more technical terms, the error involves controlling the size of the “user_args” buffer (intended for sudoers matching and logging in) to execute the buffer overflow and incorrect disruption of backlash in the arguments to obtain root rights.
Why Baron Samedit is a Critical Vulnerability
The usable code can be traced back to July 2011, affecting all legendary Sudo versions from 1.8.2 to 1.8.31p2 and all stable versions from 1.9.0 to 1.9.5p1 in their default configuration. It is said that the security vulnerability is rather insignificant to exploit: the local user does not have to be a privileged user or be part of the southern list. As a result, any device that even uses a fairly modern Linux distribution could fall victim to this bug. In fact, Qualys researchers were able to gain full root privileges on Ubuntu 20.04 (Sudo 1.8.31), Debian 10 (Sudo 1.8.27), and Fedora 33 (Sudo 1.9.2).
We at XDA generally welcome the ability for regular users to gain root access, but we do not celebrate the existence of root extraction like this, especially not one that is so widespread and potentially incredibly dangerous to end users. The vulnerability was identified in the sudo version 1.9.5p2 released yesterday, at the same time as Qualys made their findings public. Our readers are requested to upgrade to sudo 1.9.5p2 or later as soon as possible.
Source: xkcd
How to see if you are affected by Baron Samedit
To test whether or not your Linux environment is vulnerable, you must log on to the system as a non-root user and perform the following command:
sudoedit -s /A vulnerable system must respond with an error that starts sudoedit:. However, if the system is already patched, it will display an error starting with usage:.
Source: Qualys Blog
Via: Bleeping Computer