CVE-2019-18634

Sudo 1.8.25p - 'pwfeedback' Buffer Overflow (PoC)

Severity Score

7.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

In Sudo before 1.8.26, if pwfeedback is enabled in /etc/sudoers, users can trigger a stack-based buffer overflow in the privileged sudo process. (pwfeedback is a default setting in Linux Mint and elementary OS; however, it is NOT the default for upstream and many other packages, and would exist only if enabled by an administrator.) The attacker needs to deliver a long string to the stdin of getln() in tgetpass.c.

En Sudo anterior a la versión 1.8.26, si pwfeedback está habilitado en / etc / sudoers, los usuarios pueden desencadenar un desbordamiento de búfer basado en pila en el proceso de sudo privilegiado. (pwfeedback es una configuración predeterminada en Linux Mint y sistema operativo elemental; sin embargo, NO es el valor predeterminado para paquetes ascendentes y muchos otros, y existiría solo si lo habilita un administrador). El atacante debe entregar una cadena larga al stdin de getln () en tgetpass.c.

A flaw was found in the Sudo application when the ’pwfeedback' option is set to true on the sudoers file. An authenticated user can use this vulnerability to trigger a stack-based buffer overflow under certain conditions even without Sudo privileges. The buffer overflow may allow an attacker to expose or corrupt memory information, crash the Sudo application, or possibly inject code to be run as a root user.

Sudo version 1.8.25p suffers from a buffer overflow vulnerability.

*Credits: N/A

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Local

Attack Complexity

Low

Authentication

None

Confidentiality

Partial

Integrity

Partial

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2019-10-30 CVE Reserved
2020-01-29 CVE Published
2020-02-04 First Exploit
2024-03-25 EPSS Updated
2024-08-05 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-121: Stack-based Buffer Overflow
CWE-787: Out-of-bounds Write

CAPEC

References (37)

URL	Tag	Source
http://packetstormsecurity.com/files/156174/Slackware-Security-Advisory-sudo-Updates.html	Third Party Advisory
http://packetstormsecurity.com/files/156189/Sudo-1.8.25p-Buffer-Overflow.html	Third Party Advisory
http://seclists.org/fulldisclosure/2020/Jan/40	Mailing List
http://www.openwall.com/lists/oss-security/2020/01/30/6	Mailing List
http://www.openwall.com/lists/oss-security/2020/01/31/1	Mailing List
http://www.openwall.com/lists/oss-security/2020/02/05/2	Mailing List
https://lists.debian.org/debian-lts-announce/2020/02/msg00002.html	Mailing List
https://seclists.org/bugtraq/2020/Feb/2	Mailing List
https://seclists.org/bugtraq/2020/Feb/3	Mailing List
https://seclists.org/bugtraq/2020/Jan/44	Mailing List
https://security.netapp.com/advisory/ntap-20200210-0001	X_refsource_confirm
https://support.apple.com/kb/HT210919	Third Party Advisory

URL	Date	SRC
https://www.exploit-db.com/exploits/47995	2020-02-04
https://www.exploit-db.com/exploits/48052	2020-02-06
https://github.com/Plazmaz/CVE-2019-18634	2020-02-19
https://github.com/aesophor/CVE-2019-18634	2021-08-14
https://github.com/N1et/CVE-2019-18634	2021-08-11
https://github.com/ptef/CVE-2019-18634	2022-11-07
https://github.com/paras1te-x/CVE-2019-18634	2021-04-27
https://github.com/chanbakjsd/CVE-2019-18634	2024-04-14
https://github.com/DDayLuong/CVE-2019-18634	2023-12-27
http://www.openwall.com/lists/oss-security/2020/02/05/5	2024-08-05
https://www.sudo.ws/alerts/pwfeedback.html	2024-08-05

URL	Date	SRC

URL	Date	SRC
http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00029.html	2023-11-07
https://access.redhat.com/errata/RHSA-2020:0487	2023-11-07
https://access.redhat.com/errata/RHSA-2020:0509	2023-11-07
https://access.redhat.com/errata/RHSA-2020:0540	2023-11-07
https://access.redhat.com/errata/RHSA-2020:0726	2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/I6TKF36KOQUVJNBHSVJFA7BU3CCEYD2F	2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IY6DZ7WMDKU4ZDML6MJLDAPG42B5WVUC	2023-11-07
https://security.gentoo.org/glsa/202003-12	2023-11-07
https://usn.ubuntu.com/4263-1	2023-11-07
https://usn.ubuntu.com/4263-2	2023-11-07
https://www.debian.org/security/2020/dsa-4614	2023-11-07
https://www.sudo.ws/security.html	2023-11-07
https://access.redhat.com/security/cve/CVE-2019-18634	2020-03-05
https://bugzilla.redhat.com/show_bug.cgi?id=1796944	2020-03-05

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Sudo Project Search vendor "Sudo Project"		Sudo Search vendor "Sudo Project" for product "Sudo"				>= 1.7.1 < 1.8.26 Search vendor "Sudo Project" for product "Sudo" and version " >= 1.7.1 < 1.8.26"		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				8.0 Search vendor "Debian" for product "Debian Linux" and version "8.0"		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				9.0 Search vendor "Debian" for product "Debian Linux" and version "9.0"		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				10.0 Search vendor "Debian" for product "Debian Linux" and version "10.0"		-		Affected