According to the Qualys’ report, a new Sudo bug was discovered and patched with the Sudo v1.9.5p2 release. CVE identifier for the vulnerability is CVE-2021-3156, but it is commonly known as “Baron Samedit”. According to the Sudo team’s announcement, the vulnerability can be exploited by a low-privileged user to gain root access, even if it isn’t listed in the config file that includes the usernames which are allowed access to su or sudo commands.
Technical details
According to details shared by the Qualys, if a sudo runs a command in shell mode, either via the -s or -i command-line option, it escapes special characters in the command’s arguments with a backslash. If the command is being run in shell mode, the escape characters will be removed from the arguments before evaluating the sudoers policy by the sudoers policy plugin.
Since sudo has escaped all the backslashes in the command’s argument, the bug would be harmless. However, due to another bug, it is possible to run sudoedit with either the -s or -i options, setting a flag that indicates shell mode is enabled. In the end, the code that decides whether to remove the escape characters did not check whether a command is actually being run, just that the shell flag is set.