SoylentNews
SoylentNews is people
https://soylentnews.org/

Title    Unsigned int in sudo Allows Linux Privilege Escalation
Date    Tuesday October 15 2019, @03:20PM
Author    martyb
Topic   
from the Ruh-Roh dept.
https://soylentnews.org/article.pl?sid=19/10/15/1517242

We had two Soylentils write in to inform us of a serious bug in sudo.

See the web site Potential bypass of Runas user restrictions and CVE-2019-14287 for examples and details.

Unsigned int in sudo allows Linux privilege escalation

datapharmer writes:

Time to fire up your favorite package manager. Joe Vennix, a researcher from Apple, has discovered an unsigned variable was used for uid in sudo prior to version 1.8.28, allowing a user to specify -1 or 4294967295 as the uid. This then defaults to uid 0, but since this doesn't exist in the database no PAM modules are run. This only works for users with sudo rights, but works even if root is explicitly prohibited. See CVE-2019-14287 for more details.

sudo escalation - interesting bug

Anonymous Coward writes:

A freshly-discovered bug in sudo allows escalation to root for any entries with runas ALL configured. Bug has been present for years.

https://seclists.org/oss-sec/2019/q4/18

Original Submission #1Original Submission #2

Links
  1. "Potential bypass of Runas user restrictions" - https://www.sudo.ws/alerts/minus_1_uid.html
  2. "CVE-2019-14287" - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14287
  3. "datapharmer" - https://soylentnews.org/~datapharmer/
  4. "unsigned variable was used for uid in sudo" - https://thehackernews.com/2019/10/linux-sudo-run-as-root-flaw.html
  5. "Anonymous Coward" - http://n/a
  6. "Original Submission #1" - https://soylentnews.org/submit.pl?op=viewsub&subid=36843
  7. "Original Submission #2" - https://soylentnews.org/submit.pl?op=viewsub&subid=36846
© Copyright 2024 - SoylentNews, All Rights Reserved

printed from SoylentNews, Unsigned int in sudo Allows Linux Privilege Escalation on 2024-04-19 05:43:59