Linux users, please note! According to foreign media reports , Linux sudo been discovered a privilege escalation vulnerability exists that can completely bypass sudo security policy.
Briefly explain the situation, reported that there is a security policy risks sudo, even if the "sudoers configuration" configuration file clearly shows that does not allow access to the root user, but by the vulnerability, a malicious user or program still on target to Linux systems root user to execute arbitrary commands.
sudo, it is a super run as an administrator (superuser do) mean. sudo utility is one of the most commonly used Linux, it is very powerful, mounted in almost every section based on UNIX or Linux operating systems, these operating systems is a core command. As a system command, the average user can it special permission to run a program or command (usually run commands as root), without switching environment.
By default, most Linux distributions, ALL the keywords / etc / sudoers file RunAs statute allows all users admin or sudo group in any system valid user identity to run any command. As shown below:
However, there is a basic security paradigm in the Linux system - the division of authority (privilege separation). Administrators can configure the sudoers file, which commands to specify which users can run.
Thus, even if the limit users to run as root specific command or any command, the vulnerability could allow users to bypass the security policy and completely take over the system.
Sudo 开发者说到: “即便 RunAs 规约明确禁止 root 用户访问,但如果 Runas 规约文件中首先列出了 ALL 关键字,具有 sudo 权限的用户就可以使用它来以 root 身份运行任意命令。”
如何利用此漏洞?Sudo User ID -1 or 4294967295
据悉,该漏洞由苹果信息安全部门的 Joe Vennix 追踪发现(漏洞的 CVE ID 为 CVE-2019-14287 )。如果想要利用这个漏洞,只需按以下的方式运行即可:
sudo -u#-1 id -u
或者
sudo -u#4294967295 id -u
不过我们也能看到这里存在一个这样的前提,那就是你的安全策略设置如下:
eviluser = (ALL, !root) /usr/bin/vi
然后这个 eviluser 就能够通过sudo -u#-1 vi命令以 root 身份运行vi。
之所以会产生这个漏洞,是因为将用户 ID 转换为用户名的函数会将 -1(或无效等效的 4294967295)误认为是 0,而这正好是 root 用户 User ID 。此外,由于通过 -u 选项指定的 User ID 在密码数据库中不存在,因此不会运行任何 PAM 会话模块。
最后,快将 sudo 升级到 1.8.28 最新版本吧,新版本已于今天发布!该漏洞会影响 1.8.28 之前的所有版本。