Sudo is basically is a core command system that is pre-installed on macOS and UNIX or Linux-based operating systems. Thus, it is a very important part of the operating system. Joe Vennix of the Apple security team has found an important vulnerability in Sudo that under a specific configuration could allow low privileged users to execute arbitrary commands with root privileges. The privilege escalation vulnerability can now be tracked as CVE-2019-18634.
Vennix announced that the vulnerability can only be exploited when the “pwfeedback” option is enabled in the sudoers configuration file, a feature that provides visual feedback, an asterisk (*), when a user inputs password in the terminal. Luckily, pwfeedback feature is not enabled by default in the upstream version of Sudo, but in some Linux distributions, it is enabled in their default sudoers files. Users can check whether the pwfeedback is enabled or not by running “sudo -l” command on the terminal. Sudo versions 1.7.1 to 1.8.25p1 inclusive are affected. 1.8.30 it is not exploitable due to a change in EOF handling introduced in Sudo 1.8.26.
Sudo developer Todd Miller explained in a post,
“Exploiting the bug does not require sudo permissions, merely that pwfeedback be enabled. The bug can be reproduced bypassing a large input to Sudo via a pipe when it prompts for a password. The pwfeedback option is not ignored, as it should be when reading from something other than a terminal device. Due to the lack of a terminal, the saved version of the line erases character remains at its initialized value of 0. The code that erases the line of asterisks does not properly reset the buffer position if there is a write error, but it does reset the remaining buffer length. As a result, the getln() function can write past the end of the buffer.”