Recently Qualys researchers found a Sudo vulnerability, tracked as CVE-2021-3156, that has allowed any local user to gain root privileges on Unix-like operating systems without authentication.
Sudo is one of the most important, powerful, and commonly used utilities that comes as a core command pre-installed on macOS and almost every UNIX or Linux-based operating system.
sudo is a program for Unix-like computer operating systems that allows users to run programs with the security privileges of another user, by default the superuser. It originally stood for “superuser do” as the older versions of sudo were designed to run commands only as the superuser.
The Sudo CVE-2021-3156 vulnerability, dubbed Baron Samedit, is a heap-based buffer overflow that was reported on January 13th and disclosed at the end of January to give the development team the time to address the issue.
“When sudo runs a command in shell mode, either via the -s or -i command line option, it escapes special characters in the command’s arguments with a backslash. The sudoers policy plugin will then remove the escape characters from the arguments before evaluating the sudoers policy (which doesn’t expect the escape characters) if the command is being run in shell mode.” states the advisory published by the Sudo team.
“A bug in the code that removes the escape characters will read beyond the last character of a string if it ends with an unescaped backslash character. Under normal circumstances, this bug would be harmless since sudo has escaped all the backslashes in the command’s arguments. However, due to a different bug, this time in the command line parsing code, it is possible to run sudoedit with either the -s or -i options, setting a flag that indicates shell mode is enabled. Because a command is not actually being run, sudo does not escape special characters. Finally, the code that decides whether to remove the escape characters did not check whether a command is actually being run, just that the shell flag is set. This inconsistency is what makes the bug exploitable.”
News of the day is that the CVE-2021-3156 flaw also impacts the latest version of Apple macOS Big Sur, and Apple has yet to address it. The latest security patches released by Apple on Monday doesn’t fix the flaw.
Qualys researchers developed three exploits for this flaw that allowed them to achieve full root privileges on major Linux distributions, including Ubuntu 20.04 (Sudo 1.8.31), Debian 10 (Sudo 1.8.27), and Fedora 33 (Sudo 1.9.2). Experts pointed out that the CVE-2021-3156 exploits could also work on other distributions.
Below a video PoC for the CVE-2021-3156 vulnerability can be exploited is embedded below.
The Sudo contributors addressed the flaw with the release of the 1.9.5p2 version.
The British researcher Matthew Hickey, the founder of Hacker House, declared on Twitter that the issue also impacts Apple MacOS Big Sur
Hickey demonstrated that it is possible to exploit the CVE-2021-3156 vulnerability to grant attackers access to macOS root accounts.
“To trigger it, you just have to overwrite argv or create a symlink, which therefore exposes the OS to the same local root vulnerability that has plagued Linux users the last week or so.” Hickey explained to ZDNet.
Hickey also shared a Proof-of-Concept (PoC) exploit code for the above vulnerability.
Will Dormann, security expert at the Carnegie Mellon University’s CERT Coordination Center, also confirmed that the issue affects macOS Big Sur on both x86_64 and aarch64.
Another prominent cybersecurity expert, the former NSA white hat hacker Patrick Wardle, also confirmed that the vulnerability impacts the latest macOS version.
Hickey reported the issue to Apple today, experts believe the IT giant will address the issue as soon as possible.
If you want to receive the weekly Security Affairs Newsletter for free subscribe here.
(SecurityAffairs – hacking, macOS)