Linux Error SUDO allows you to run commands as root
A flaw in the sudo Linux command has been discovered, which may allow non-privileged users to execute commands as root. Thankfully, this vulnerability only works in non-standard configurations and most Linux servers are unaffected.
Before learning about the vulnerability, it is important to have some basic information about how the sudo command works and how it is configured.
Learn about the sudo command
When executing commands on a Linux operating system, unprivileged users can use the sudo ( super user do
) command to execute commands as root, as long as they have been granted or know the user's password. root.
The sudo command can also be configured to allow users to run commands as a different user, by adding special commands to the / etc / sudoers configuration file.
For example, the following commands allow users to 'test' to run the commands / usr / bin / vim and / usr / bin / id like any user other than root.
test ALL = (ALL, !root) /usr/bin/vim test ALL = (ALL, !root) /usr/bin/id
In order for user 'test' to execute one of the commands above, they will use the sudo command with the -u parameter to specify the user to run the command. For example, the following command will launch VIM as a 'bleeping-test' user.
sudo -u bleeping-test vim
When creating users in Linux, each user is provided with a UID. As seen below, user 'test' has a UID of 1001 and 'bleeping-test' has a UID of 1002.
The user can use these UIDs instead of the user name when launching the sudo command. For example, the command below will again launch VIM as a 'bleeping-test' user but this time by providing that user's UID.
sudo -u#1002 vim
Sudo flaw
Apple's security researcher, Joe Vennix, discovered an error that allowed users to launch the sudo command as root using UID -1 or 4294967295 in the sudo command.
For example, the following command could use this error to launch user / usr / bin / id as root, even though the user 'test' was denied to do this in / etc / sudoers.
sudo -u#-1 id
Use this error with the command / usr / bin / id to have root privileges illustrated below.
Although this error is very serious, it is important to remember that it can only work if the user is granted access to the command through the sudoers configuration file. If not (and most Linux distributions do not do so by default), then this error will have no effect.
Create an attack
To actually exploit this vulnerability, the user must have the sudoer directive, configured for one command to be able to launch other commands.
In the sudoers directive example above, we have such a command: VIM!
test ALL = (ALL, !root) /usr/bin/vim
Once in VIM, users can launch another program using the command :!
. For example, if in VIM, you can enter !ls
to execute the ls command in the current directory.
If you use the command sudo -u#-1 vim
to exploit this vulnerability, VIM will be launched as root. You can then confirm this by executing the !whoami
command.
Now, VIM is launched as root, any command executed from it is also run as root.
This can easily be used to launch a root shell which can then execute any command you want on the compromised system. This attack is illustrated in the image below.
Although this error is obviously very serious, it can only be used in non-standard configurations that will not affect the vast majority of Linux users.
For those who use the sudoers directive for the user, you should upgrade to sudo 1.8.28 or later as soon as possible.
See more:
- 28 interesting facts about Linux
You should read it
- Basic Linux commands everyone needs to know
- Enable Root account in Ubuntu
- How to reset the password for sudo in Debian
- 20+ essential Linux security commands
- How to Become Root in Ubuntu
- Instructions to disable Root account on Linux
- How to Get Root Rights on Ubuntu
- 5 Linux commands every sysadmin needs to know
May be interested
- How to reset the password for sudo in Debianthe user password is changed in debian using the passwd command. in this article, tipsmake.com will explain how root users can change their own passwords on debian servers.
- How to Run Linux Commands on Windows with WSL 2windows subsystem for linux 2 builds on the success of the original wsl, and the newer wsl 2 brings more power and reliability to users. it is important that you understand how to use linux commands and utilities on windows subsystem for linux 2.
- The sudo command is coming to Windows 11microsoft seems to be planning to bring to windows 11 an extremely popular utility on macos and linux: the 'omnipotent' sudo command.
- Guide to network operation for Linux users: 11 commands to knowlinux supports commands to download files, diagnose network problems, manage network interfaces or view network statistics on the terminal. here are some common linux commands to work with, please consult.
- 14 interesting Linux commands in Terminalterminal is a very powerful tool, but it can become 'interesting' through a few bash commands that quantrimang will introduce to you later. let's follow up and find out because some commands are quite useful.
- 15 Tar commands should try in Linuxon * nix operating systems, such as linux, the commonly used utility is tar. the name of this command comes from archive tape, because it was originally designed to back up data on tape.
- 18 Interesting Linux Commands in Terminalterminal is a very powerful tool, but it can be made 'interesting' through a few bash commands that tipsmake.com will introduce to you below. let's follow and learn because some commands are quite useful.
- Useful commands in Unix / Linuxthis chapter lists the commands, including syntax and brief descriptions. for more details about these commands, you use.
- How to Open Applications With Root Privileges on a Macyou can open any mac application with root privileges, as long as you have an administrator password. as always, do not use root access unless you know what you are doing, as you could cause serious damage to the application or to your...
- Top 10 examples of Netstat commands on Linuxnetstat is a command line utility that can be used to list all network connections (sockets), allowing comparison with network connections, routing tables, interface records, connection spoofing.