Buffer overflow in command line unescaping
A serious heap-based buffer overflow has been discovered in sudo that is exploitable by any local user. It has been given the name Baron Samedit by its discoverer. The bug can be leveraged to elevate privileges to root, even if the user is not listed in the sudoers file. User authentication is not required to exploit the bug.
Sudo versions 1.7.7 through 1.7.10p9, 1.8.2 through 1.8.31p2, and 1.9.0 through 1.9.5p1 are affected.
This vulnerability has been assigned CVE-2021-3156 in the Common Vulnerabilities and Exposures database.
When sudo runs a command in shell mode, either via the -s or -i command line option, it escapes special characters in the command’s arguments with a backslash. The sudoers policy plugin will then remove the escape characters from the arguments before evaluating the sudoers policy (which doesn’t expect the escape characters) if the command is being run in shell mode.
A bug in the code that removes the escape characters will read
beyond the last character of a string if it ends with an unescaped
backslash character. Under normal circumstances, this bug would
be harmless since sudo has escaped all the backslashes in the
command’s arguments. However, due to a different bug, this time
in the command line parsing code, it is possible to run
with either the -s or -i options,
setting a flag that indicates shell mode is enabled. Because a
command is not actually being run, sudo does not
escape special characters. Finally, the code that decides whether
to remove the escape characters did not check whether a command is
actually being run, just that the shell flag is set. This inconsistency
is what makes the bug exploitable.
To test whether your version of sudo is vulnerable, the following command can be used:
sudoedit -s /
A vulnerable version of sudo will either prompt for a password or display an error similar to:
sudoedit: /: not a regular file
A patched version of sudo will simply display a usage statement, for example:
usage: sudoedit [-AknS] [-a type] [-C num] [-c class] [-D directory] [-g group] [-h host] [-p prompt] [-R directory] [-T timeout] [-u user] file ...
If the sudoers plugin has been patched but the sudo front-end has not, the following error will be displayed:
sudoedit: invalid mode flags from sudo front end: 0x20002
Patching either the sudo front-end or the sudoers plugin is sufficient to prevent exploitation, but applying the complete patch is the safest approach.
For more information, see The Qualys advisory.
A local user may be able to exploit sudo to elevate privileges to root as long as the sudoers file (usually /etc/sudoers) is present.
None. Sudo version 1.8.32, 1.9.5p2 or a patched vendor-supported version must be installed.
The bug is fixed in sudo 1.8.32 and 1.9.5p2.
Thanks to the Qualys Security Advisory team for their detailed bug report and explanation of its implications.