Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 697462 (CVE-2019-14287) - <app-admin/sudo-1.8.28: bypass of Runas user restrictions (CVE-2019-14287)
Summary: <app-admin/sudo-1.8.28: bypass of Runas user restrictions (CVE-2019-14287)
Status: IN_PROGRESS
Alias: CVE-2019-14287
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL: https://www.sudo.ws/alerts/minus_1_ui...
Whiteboard: A1 [glsa? cleanup]
Keywords:
Depends on:
Blocks:
 
Reported: 2019-10-10 22:03 UTC by Thomas Deutschmann
Modified: 2019-11-22 10:33 UTC (History)
1 user (show)

See Also:
Package list:
app-admin/sudo-1.8.28_p1-r2
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Deutschmann gentoo-dev Security 2019-10-10 22:03:42 UTC
Incoming details.
Comment 1 Thomas Deutschmann gentoo-dev Security 2019-10-14 15:48:00 UTC
When sudo is configured to allow a user to run commands as an arbitrary user via the ALL keyword in a Runas specification, it is possible to run commands as root by specifying the user ID -1 or 4294967295.

This can be used by a user with sufficient sudo privileges to run commands as root even if the Runas specification explicitly disallows root access as long as the ALL keyword is listed first in the Runas specification.

Log entries for commands run this way will list the target user as 4294967295 instead of root. In addition, PAM session modules will not be run for the command.


Sudo versions affected:
=======================
Sudo versions prior to 1.8.28 are affected.


Details:
========
Exploiting the bug requires that the user have sudo privileges that allow them to run commands with an arbitrary user ID. Typically, this means that the user's sudoers entry has the special value ALL in the Runas specifier.

Sudo supports running a command with a user-specified user name or user ID, if permitted by the sudoers policy. For example, the following sudoers entry allow the id command to be run as any user because it includes the ALL keyword in the Runas specifier.

    myhost alice = (ALL) /usr/bin/id

Not only is user is able to run the id command as any valid user, she is also able to run it as an arbitrary user ID by using the #uid syntax, for example:

    sudo -u#1234 id -u

would return 1234. However, the setresuid(2) and setreuid(2) system calls, which sudo uses to change the user ID before running the command, treat user ID -1 (or its unsigned equivalent 4294967295), specially and do not change the user ID for this value. As a result,

    sudo -u#-1 id -u

or

    sudo -u#4294967295 id -u

will actually return 0. This is because the sudo command itself is already running as user ID 0 so when sudo tries to change to user ID -1, no change occurs.

This results in sudo log entries that report the command as being run by user ID 4294967295 and not root (or user ID 0). Additionally, because the user ID specified via the -u option does not exist in the password database, no PAM session modules will be run.

If a sudoers entry is written to allow the user to run a command as any user except root, the bug can be used to avoid this restriction. For example, given the following sudoers entry:

    myhost bob = (ALL, !root) /usr/bin/vi

User bob is allowed to run vi as any user but root. However, due to the bug, bob is actually able to run vi as root by running sudo -u#-1 vi, violating the security policy.

Only sudoers entries where the ALL keyword is present in the Runas specifier are affected. For example, the following sudoers entry is unaffected:

    myhost alice = /usr/bin/id

In this example, alice is only allowed to run the id command as root. Any attempt to run the command as a different user will be denied.


Fix:
====
The bug is fixed in sudo 1.8.28.
Comment 2 Larry the Git Cow gentoo-dev 2019-10-14 15:53:10 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=bc0fe8604ba04929688ee6873ecdc6cec4ea22d1

commit bc0fe8604ba04929688ee6873ecdc6cec4ea22d1
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2019-10-14 15:52:33 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2019-10-14 15:52:33 +0000

    app-admin/sudo: bump to v1.8.28
    
    Bug: https://bugs.gentoo.org/697462
    Package-Manager: Portage-2.3.76, Repoman-2.3.17
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 app-admin/sudo/Manifest           |   1 +
 app-admin/sudo/sudo-1.8.28.ebuild | 251 ++++++++++++++++++++++++++++++++++++++
 2 files changed, 252 insertions(+)
Comment 3 Thomas Deutschmann gentoo-dev Security 2019-10-14 20:56:16 UTC
x86 stable
Comment 4 Larry the Git Cow gentoo-dev 2019-10-14 23:36:02 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=491c3b2c497837cff2b3bc2d7da90154da353e41

commit 491c3b2c497837cff2b3bc2d7da90154da353e41
Author:     Richard Freeman <rich0@gentoo.org>
AuthorDate: 2019-10-14 23:35:47 +0000
Commit:     Richard Freeman <rich0@gentoo.org>
CommitDate: 2019-10-14 23:35:47 +0000

    app-admin/sudo: amd64 stable
    
    Bug: https://bugs.gentoo.org/697462
    Package-Manager: Portage-2.3.76, Repoman-2.3.16
    Signed-off-by: Richard Freeman <rich0@gentoo.org>

 app-admin/sudo/sudo-1.8.28.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
Comment 5 Agostino Sarubbo gentoo-dev 2019-10-17 09:28:43 UTC
s390 stable
Comment 6 Agostino Sarubbo gentoo-dev 2019-10-17 09:53:56 UTC
sparc stable
Comment 7 Agostino Sarubbo gentoo-dev 2019-10-17 10:26:01 UTC
ppc stable
Comment 8 Agostino Sarubbo gentoo-dev 2019-10-17 10:30:15 UTC
ppc64 stable
Comment 9 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2019-10-18 01:56:05 UTC
arm64 stable
Comment 10 Rolf Eike Beer 2019-10-24 22:10:18 UTC
hppa stable
Comment 11 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2019-11-01 10:52:15 UTC
arm stable
Comment 12 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2019-11-02 08:11:00 UTC
sh stable
Comment 13 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2019-11-02 08:11:18 UTC
m68k stable
Comment 14 Matt Turner gentoo-dev 2019-11-09 22:58:41 UTC
alpha stable
Comment 15 Agostino Sarubbo gentoo-dev 2019-11-14 11:57:06 UTC
ia64 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 16 Larry the Git Cow gentoo-dev 2019-11-22 10:33:40 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=36ea8390dc830ff9e21c13519be217e74a5a6737

commit 36ea8390dc830ff9e21c13519be217e74a5a6737
Author:     Lars Wendler <polynomial-c@gentoo.org>
AuthorDate: 2019-11-22 10:30:19 +0000
Commit:     Lars Wendler <polynomial-c@gentoo.org>
CommitDate: 2019-11-22 10:33:33 +0000

    app-admin/sudo: Security cleanup
    
    Bug: https://bugs.gentoo.org/697462
    Package-Manager: Portage-2.3.79, Repoman-2.3.18
    Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>

 app-admin/sudo/Manifest              |   1 -
 app-admin/sudo/sudo-1.8.27-r1.ebuild | 252 -----------------------------------
 2 files changed, 253 deletions(-)