Title | Unsigned int in sudo Allows Linux Privilege Escalation | |
Date | Tuesday October 15 2019, @03:20PM | |
Author | martyb | |
Topic | ||
from the Ruh-Roh dept. |
We had two Soylentils write in to inform us of a serious bug in sudo.
See the web site Potential bypass of Runas user restrictions and CVE-2019-14287 for examples and details.
Time to fire up your favorite package manager. Joe Vennix, a researcher from Apple, has discovered an unsigned variable was used for uid in sudo prior to version 1.8.28, allowing a user to specify -1 or 4294967295 as the uid. This then defaults to uid 0, but since this doesn't exist in the database no PAM modules are run. This only works for users with sudo rights, but works even if root is explicitly prohibited. See CVE-2019-14287 for more details.
A freshly-discovered bug in sudo allows escalation to root for any entries with runas ALL configured. Bug has been present for years.
https://seclists.org/oss-sec/2019/q4/18
Original Submission #1 Original Submission #2
Links |
printed from SoylentNews, Unsigned int in sudo Allows Linux Privilege Escalation on 2024-04-19 05:43:59