Sudo bug allows Linux and Mac users to execute arbitrary command from the root

Joe Vennix from Apple Security has discovered Sudo utility vulnerability that allows low privileged usesr or malicious programs to execute arbitrary command with administrative privileges under certain configuration.

For you information, the sudo utility is a core command pre-installed on Mac and UNIX or Linux based OS. This utility allows users to run apps or commands with the privileges of a different user without switching environments.

The new vulnerability tracked as CVE-2019-18634 resides in Sudo versions before 1.8.26. According to Vennix, this flaw can only be exploited when pwfeedback option enable. The point here to be noted is that, this option is not enabled by default in upstream version sudo and many other packages. However, some Linux do enable this by default in the sudoers file. If this pwfeedback option is enable, any user can exploit the vulnerability without taking the sudo permission.

Sudo developer Todd C. Miller explained:

“The bug can be reproduced by passing a large input to sudo via a pipe when it prompts for a password, because the attacker has complete control of the data used to overflow the buffer, there is a high likelihood of exploitability.”

To check whether your sudoers configuration is affected, run “sudo-I” command your OS terminal to find whether the pwfeedback option is enabled. If you find this as enable, you can disable it by changing “Default pwfeedback” to “Defaults!pwfeedback”.

Vennix reported the vulnerability to the sudo’s maintainers who released the sudo version 1.8.31 with a patch.

Miller said, “While the logic bug is also present in sudo versions 1.8.26 through 1.8.30 it is not exploitable due to a change in EOF handling introduced in sudo 1.8.26,”

Apple has also released a patch update for Mac OS High Sierra 10.13.6, macOS Mojave 10.14.6, macOS Catalina 10.15.2 last week.