CVSS: 2.5EPSS: 0%CPEs: 8EXPL: 1CVE-2021-23239 – sudo: possible directory existence test due to race condition in sudoedit
https://notcve.org/view.php?id=CVE-2021-23239
The sudoedit personality of Sudo before 1.9.5 may allow a local unprivileged user to perform arbitrary directory-existence tests by winning a sudo_edit.c race condition in replacing a user-controlled directory by a symlink to an arbitrary path. La personalidad sudoedit de Sudo versiones anteriores a 1.9.5, puede permitir a un usuario local poco privilegiado llevar a cabo pruebas arbitrarias de existencia de directorio al ganar una condición de carrera en el archivo sudo_edit.c al reemplazar un directorio controlado por el usuario por un enlace simbólico a una ruta arbitraria A flaw was found in sudoedit. A race condition vulnerability and improper symbolic link resolution could be used by a local unprivileged user to test for the existence of directories and files not normally accessible to the user. This flaw cannot be used to read the content or write to arbitrary files on the file system. The highest threat from this vulnerability is to data confidentiality. • https://bugzilla.suse.com/show_bug.cgi?id=CVE-2021-23239 https://lists.debian.org/debian-lts-announce/2022/11/msg00007.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EE42Y35SMJOLONAIBNYNFC7J44UUZ2Y6 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GMY4VSSBIND7VAYSN6T7XIWJRWG4GBB3 https://security.gentoo.org/glsa/202101-33 https://security.netapp.com/advisory/ntap-20210129-0010 https://www.sudo.ws/stable.html#1.9.5 h • CWE-59: Improper Link Resolution Before File Access ('Link Following') CWE-203: Observable Discrepancy •
CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 11CVE-2019-18634 – Sudo 1.8.25p - 'pwfeedback' Buffer Overflow (PoC)
https://notcve.org/view.php?id=CVE-2019-18634
In Sudo before 1.8.26, if pwfeedback is enabled in /etc/sudoers, users can trigger a stack-based buffer overflow in the privileged sudo process. (pwfeedback is a default setting in Linux Mint and elementary OS; however, it is NOT the default for upstream and many other packages, and would exist only if enabled by an administrator.) The attacker needs to deliver a long string to the stdin of getln() in tgetpass.c. En Sudo anterior a la versión 1.8.26, si pwfeedback está habilitado en / etc / sudoers, los usuarios pueden desencadenar un desbordamiento de búfer basado en pila en el proceso de sudo privilegiado. (pwfeedback es una configuración predeterminada en Linux Mint y sistema operativo elemental; sin embargo, NO es el valor predeterminado para paquetes ascendentes y muchos otros, y existiría solo si lo habilita un administrador). • https://www.exploit-db.com/exploits/47995 https://www.exploit-db.com/exploits/48052 https://github.com/Plazmaz/CVE-2019-18634 https://github.com/aesophor/CVE-2019-18634 https://github.com/N1et/CVE-2019-18634 https://github.com/ptef/CVE-2019-18634 https://github.com/paras1te-x/CVE-2019-18634 https://github.com/chanbakjsd/CVE-2019-18634 https://github.com/DDayLuong/CVE-2019-18634 http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00029.html http://pa • CWE-121: Stack-based Buffer Overflow CWE-787: Out-of-bounds Write •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2019-19232 – sudo: attacker with access to a Runas ALL sudoer account can impersonate a nonexistent user
https://notcve.org/view.php?id=CVE-2019-19232
In Sudo through 1.8.29, an attacker with access to a Runas ALL sudoer account can impersonate a nonexistent user by invoking sudo with a numeric uid that is not associated with any user. NOTE: The software maintainer believes that this is not a vulnerability because running a command via sudo as a user not present in the local password database is an intentional feature. Because this behavior surprised some users, sudo 1.8.30 introduced an option to enable/disable this behavior with the default being disabled. However, this does not change the fact that sudo was behaving as intended, and as documented, in earlier versions ** EN DISPUTA ** En Sudo hasta 1.8.29, un atacante con acceso a una cuenta de sudoer Runas ALL puede suplantar a un usuario inexistente invocando sudo con un uid numérico que no está asociado con ningún usuario. NOTA: El responsable del software cree que esto no es una vulnerabilidad porque ejecutar un comando a través de sudo como un usuario que no está presente en la base de datos de contraseñas local es una característica intencional. • http://seclists.org/fulldisclosure/2020/Mar/31 https://access.redhat.com/security/cve/cve-2019-19232 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/I6TKF36KOQUVJNBHSVJFA7BU3CCEYD2F https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IY6DZ7WMDKU4ZDML6MJLDAPG42B5WVUC https://quickview.cloudapps.cisco.com/quickview/bug/CSCvs58103 https://quickview.cloudapps.cisco.com/quickview/bug/CSCvs58812 https://quickview.cloudapps.cisco.com/quickview/bug/CSCvs • CWE-284: Improper Access Control •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2019-19234 – sudo: by using ! character in the shadow file instead of a password hash can access to a run as all sudoer account
https://notcve.org/view.php?id=CVE-2019-19234
In Sudo through 1.8.29, the fact that a user has been blocked (e.g., by using the ! character in the shadow file instead of a password hash) is not considered, allowing an attacker (who has access to a Runas ALL sudoer account) to impersonate any blocked user. NOTE: The software maintainer believes that this CVE is not valid. Disabling local password authentication for a user is not the same as disabling all access to that user--the user may still be able to login via other means (ssh key, kerberos, etc). Both the Linux shadow(5) and passwd(1) manuals are clear on this. • https://access.redhat.com/security/cve/cve-2019-19234 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/I6TKF36KOQUVJNBHSVJFA7BU3CCEYD2F https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IY6DZ7WMDKU4ZDML6MJLDAPG42B5WVUC https://quickview.cloudapps.cisco.com/quickview/bug/CSCvs58104 https://quickview.cloudapps.cisco.com/quickview/bug/CSCvs58473 https://quickview.cloudapps.cisco.com/quickview/bug/CSCvs58772 https://quickview.cloudapps.cisco.com/quickview& • CWE-284: Improper Access Control •
CVSS: 7.0EPSS: 0%CPEs: 1EXPL: 1CVE-2019-18684
https://notcve.org/view.php?id=CVE-2019-18684
Sudo through 1.8.29 allows local users to escalate to root if they have write access to file descriptor 3 of the sudo process. This occurs because of a race condition between determining a uid, and the setresuid and openat system calls. The attacker can write "ALL ALL=(ALL) NOPASSWD:ALL" to /proc/#####/fd/3 at a time when Sudo is prompting for a password. NOTE: This has been disputed due to the way Linux /proc works. It has been argued that writing to /proc/#####/fd/3 would only be viable if you had permission to write to /etc/sudoers. • https://gist.github.com/oxagast/51171aa161074188a11d96cbef884bbd • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •